Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Lab Guide
Uploaded by
Jeff HortonDeep Discovery 4.1 Advanced Threat Detection Certified Professional - Lab Guide
Uploaded by
Jeff HortonTrend Micro™ Deep Discovery™
Advanced Threat Detection 4.1
Training for Certified Professionals
Lab Manual
Copyright © 2023 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,
or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: April 10, 2023
Trend Micro Deep Discovery Advanced Threat Detection
Courseware: 4.1
(DDI 6, DDAN 7.2, DDD 5.3, and DDEI 5.1)
CONTENTS
Lab 1: Accessing the Deep Discovery Virtual Lab.......................................................................1
Exercise 1: Accessing the Product Cloud Lab Environment............................................................................. 3
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer .....................................9
Exercise 1: Lab Preparation — DDI and DDAN...................................................................................................... 9
Exercise 2: Connecting Deep Discovery Inspector to Deep Discovery Analyzer ...................................... 17
Exercise 3: Lab Preparation — Malware Samples .............................................................................................20
Exercise 4: Testing Virtual Sandbox Analysis Process.................................................................................... 21
Exercise 5: Manually Submitting Suspicious Samples to Deep Discovery Analyzer ............................... 23
Exercise 6: Investigating Deep Discovery Analyzer Virtual Analysis Results...........................................26
Exercise 7: Managing Suspicious Objects .......................................................................................................... 32
Exercise 8: Adding Suspicious Objects to the Exceptions List ..................................................................... 33
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine ................................. 35
Exercise 1: Adding a Network Group....................................................................................................................35
Exercise 2: Adding Registered Domains and Services....................................................................................42
Exercise 3: Updating Components...................................................................................................................... 46
Exercise 4: Setting Geographic Location.......................................................................................................... 49
Exercise 5: Configuring Time Zone Settings.................................................................................................... 50
Lab 4: Verifying the Deep Discovery Inspector Installation ................................................. 51
Exercise 1: Verifying Access to Back-end Services ...........................................................................................51
Exercise 2: Testing with Demo Rules ................................................................................................................. 54
Exercise 3: Testing the URL Filtering Engine....................................................................................................59
Exercise 4: Testing NCIE-Based Detections .......................................................................................................61
Lab 5: Troubleshooting ................................................................................................................. 63
Exercise 1: Identify if DDI Can See Network Traffic .........................................................................................63
Exercise 2: Verifying Detection Capabilities .....................................................................................................67
Exercise 3: Checking Current System Status of Deep Discovery Inspector..............................................69
Exercise 4: Restoring System Utilization ...........................................................................................................70
Exercise 5: Generating and Exporting Debug Logs .......................................................................................... 71
Lab 6: Using Dashboard Widgets for Investigating Threats ................................................ 75
Exercise 1: Lab Preparation - Generating Detections using Packet Captures...........................................75
Exercise 2: Investigating Dashboard Widget Information..............................................................................79
Exercise 3: Finding the Root Cause .................................................................................................................... 84
Exercise 4: Using Top Affected Hosts Widgets to Identify Compromised Hosts .................................. 86
Exercise 5: Viewing C&C Communications ...................................................................................................... 88
Exercise 6: Using Threat Connect to Obtain Threat Intelligence..................................................................91
Exercise 7: Finding non-Windows Malware....................................................................................................... 94
© 2023 Trend Micro Inc. Education I
Lab 7: Analyzing Logs and Managing Detection Rules ......................................................... 95
Exercise 1: Lab Preparation — Generating Detections.....................................................................................95
Exercise 2: Identifying Affected Hosts ...............................................................................................................97
Exercise 3: Enabling Detection Rules................................................................................................................ 109
Exercise 4: Disabling Logs for Safe Events .......................................................................................................113
Exercise 5: Marking Detections as Resolved.................................................................................................... 119
Exercise 6: Exporting Logs for your Security Team........................................................................................121
Exercise 7: Deactivating Detection Rules ........................................................................................................ 124
Lab 8: Reporting ............................................................................................................................129
Exercise 1: Generating On-demand Reports .................................................................................................... 129
Exercise 2: Creating a Scheduled Report..........................................................................................................132
Exercise 3: Obtaining IOCs from Virtual Analyzer Report Investigation Packages............................... 134
Lab 9: Configuring Deep Discovery Email Inspector and Verifying the Install .............. 137
Exercise 1: Activating and Setting the System Time ......................................................................................137
Exercise 2: Setup Virtual Analyzer Settings to use Deep Discovery Analyzer....................................... 139
Exercise 3: Configuring Mail Settings ................................................................................................................ 141
Exercise 4: Disabling Smart Feedback in DDEI ............................................................................................... 145
Exercise 5: Testing Virus Detection in Deep Discovery Email Inspector.................................................. 146
Exercise 6: Verifying if Events Have Been Detected..................................................................................... 148
Exercise 7: Test Component Updates (Engines/Patterns) .......................................................................... 149
Lab 10: Configuring Deep Discovery Email Inspector Policies............................................. 151
Exercise 1: Creating a Policy Object For Content Filtering ............................................................................151
Exercise 2: Configuring Content Filtering........................................................................................................ 153
Exercise 3: Creating a new Policy for Content Filtering............................................................................... 154
Exercise 4: Testing the Content Filter Policy.................................................................................................. 156
Exercise 5: Viewing the Content Filter Policy Violation ............................................................................... 156
Exercise 6: Viewing the Quarantine .................................................................................................................. 157
Lab 11: Managing Devices through Deep Discovery Director ..............................................159
Exercise 1: Registering with Deep Discovery Director .................................................................................. 159
Exercise 2: Populating the Deep Discovery Director Repository ............................................................... 166
Exercise 3: Creating a Hotfix / Critical Patch Deployment Plan................................................................. 168
II © 2023 Trend Micro Inc. Education
Lab 1: Accessing the Deep Discovery
Virtual Lab
In this lab, students explore the virtual lab environment that will be used to complete the lab activities in
this training. The lab environment is delivered as a virtual application through Trend Micro Product Cloud
2.0 and will be accessed from a web browser on your computer. Google Chrome is the preferred browser
for this environment.
Estimated time to complete this lab: 10 minutes
LAB OBJECTIVES:
• Network Setup
• Back-End vApp Network Topology
• Login Credentials
• Accessing the Product Cloud Lab Environment
The specific settings that are configured on each host in the environment and the steps to access each
host is provided below. Carefully read all the information that is provided here before starting the
hands-on lab exercises.
Network Setup
The network configuration, device settings and login credentials for each virtual machine in the
classroom environment are listed here:
Login Credentials Operating
VM Name Operating System IP/Netmask Gateway/DNS System
Operating System Product
admin/ DDD 192.168.2.121 CentOS 7.0
VM-DDD-01
Trendmicro0!
VM-DDI-01 admin/admin DDI 192.168.2.110 CentOS 7.0
VM-DDAN- admin/ DDAN 192.168.2.120 CentOS 7.0
01 Trendmicro0! 192.168.2.122
admin/ DDEI 192.168.2.130 CentOS 7.0
VM-DDEI-01 Trendmicro0!
G/W:
Windows Server + 192.168.2.41 192.168.2.1 Windows Server
VM- administrator/
WIN2012 trendmicro Apex Central DNS: 2012 R2
10.34.47.251 Standard
VM-DC2016 administrator/ Windows Server + 192.168.2.230 Windows Server
trendmicro Domain Controller 2016 Standard
VM-KALI-01 root/trendmicro SMTP Server 192.168.2.232 Other Linux
[CLI] Router 192.168.2.121 FreeBSD
Linux Username: root
Router Password: (PfSense)
trendmicro
© 2023 Trend Micro Inc. Education 1
Lab 1: Accessing the Deep Discovery Virtual Lab
Back-End vApp Network Topology
The following diagram shows the virtual network layout of the virtual machines that will be used in
this training.
This virtual lab environment (vApp) is designed to complete student lab activities that are included in
the latest version of Deep Discovery Certified Professional Training.
The following products and applications are included:
• Deep Discovery Inspector
• Deep Discovery Analyzer (Linux and Windows sandboxes already imported)
• Deep Discovery Director
• Deep Discovery Email Inspector
• SMTP Server on VM-KALI-01
Important Application Credentials
Some of the more frequently accessed URLs, and credentials for the pre-installed components within the
virtual lab environment are listed here for your convenience.
Deep Discovery Inspector
• URL: https://192.168.2.110
• admin / Trendmicro0!
Deep Discovery Analyzer
• URL: https://192.168.2.120
• admin / Trendmicro0!
Apex Central
• URL: https://192.168.2.41/WebApp.login.html
• admin / Trendmicro0!
Kali-Linux and SMTP Server (residing on VM-KALI-01)
• root / trendmicro
2 © 2023 Trend Micro Inc. Education
Lab 1: Accessing the Deep Discovery Virtual Lab
Login Credentials
The instructor will distribute a unique user name and password to each class participant. These
credentials will be used for the duration of this training session. Write the user name and password here
for easy retrieval when needed during the different labs.
• User name: __________________________________________________
• Password: ___________________________________________________
Exercise 1: Accessing the Product Cloud Lab
Environment
In this exercise, participants will access the classroom virtual application through the email link delivered
to participants by Trend Micro Product Cloud. The lab environment is available for the duration of the
training session only and will be reset automatically at the end of the final day of class.
Note: Google Chrome is the recommended browser to use for the classroom exercises.
1 In the email message that was sent to you by Trend Micro, click the link to access the lab
environment.
Note: If you did not receive the email message with the link, you may not have been correctly
registered for the class. Please inform the instructor immediately.
© 2023 Trend Micro Inc. Education 3
Lab 1: Accessing the Deep Discovery Virtual Lab
2 The Product Cloud 2.0 Training page displays the virtual lab that has been provisioned for you.
Hover over the workstation icon on the far right, and select Go to Lab Detail.
3 The Lab View is presented. This view displays the virtual machines available in the vApp.
4 © 2023 Trend Micro Inc. Education
Lab 1: Accessing the Deep Discovery Virtual Lab
4 Hover your mouse over one of the virtual machines, and click Remote Control.
Note: If the Status column displays a red icon, the virtual machine may not yet be running. In this
scenario, click the Start icon. Once the Status icon is green, you can click Remote Control to
access the virtual machine.
5 The selected virtual machine will be launched. It will take a moment for the VM to load and the
window to be resized.
© 2023 Trend Micro Inc. Education 5
Lab 1: Accessing the Deep Discovery Virtual Lab
6 To maximize the virtual machine window, click on the toolbar.
Note: On higher resolution laptops, a resolution of 1920x1080 is recommended for optimal display.
7 To log into the virtual machine, click on the toolbar to send a CTRL+ALT+DEL command to
the virtual machine. Log in with the appropriate username and password as indicated in the
exercise steps.
6 © 2023 Trend Micro Inc. Education
Lab 1: Accessing the Deep Discovery Virtual Lab
8 To switch between the different virtual machines in the environment, click the image switcher in
the upper right-hand corner of the window.
Note: The connection icon on the toolbar will indicate if the network connection is adequate to run
the lab environment. Green bars should be displayed.
Once you are comfortable with navigating around the Product Cloud environment, proceed to Lab 2.
© 2023 Trend Micro Inc. Education 7
Lab 1: Accessing the Deep Discovery Virtual Lab
8 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects
to Deep Discovery Analyzer
In this lab, Deep Discovery Analyzer will be used to investigate suspicious files, and students will examine
Virtual Analyzer reports to investigate exact behaviors of a particular suspicious file.
Note: In the following lab activities, you will be using a virtual Deep Discovery Analyzer for analyzing
samples. This not an official Trend Micro supported environment, and is only being used for lab
testing purposes. This setup should not be used for the delivery of Proof of Concepts.
Additionally, since this lab setup is unsupported, you might observe some cases where the Deep
Discovery Analyzer will appear to take longer than normal to analyze samples.
Estimated time to complete this lab: 50 minutes
LAB OBJECTIVES
• Lab Preparation — DDI and DDAN
• Connecting Deep Discovery Inspector to Deep Discovery Analyzer
• Lab Preparation — Malware Samples
• Testing Virtual Sandbox Analysis Process
• Manually Submitting Suspicious Samples to Deep Discovery Analyzer
• Investigating Deep Discovery Analyzer Virtual Analysis Results
• Managing Suspicious Objects
• Adding Suspicious Objects to the Exceptions List
Note: To avoid possible time constraints, the DDAN VM in your student vApp has been pre-loaded with
sandbox images (Windows 10 and Linux CentOS) for use by DDAN for sample analysis.
Exercise 1: Lab Preparation — DDI and DDAN
Configure DDI in Vapp for Upcoming DDAN Lab Activities
In this activity, students will configure preliminary network settings for the Deep Discovery Inspector,
and also install a license string to activate it, for preparation of upcoming Deep Discovery Analyzer
lab activities. At this time, follow the steps below to complete the Deep Discovery Inspector network
configuration. Full details regarding the Deep Discovery Inspector configuration will be provided later
in this training.
© 2023 Trend Micro Inc. Education 9
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Configuring DDI Network Settings
In this activity, you will use the Deep Discovery Inspector Pre-Configuration Console to configure
initial network settings for Deep Discovery Inspector.
1 In the lab environment, switch to the VM-DDI-01 virtual machine, and hit the Enter key to display
the screen.
The Deep Discovery Inspector Pre-Configuration Console will be displayed as follows:
2 Enter the default password: admin and use the tab key to select Log On and click Enter. This will
display the Main Menu.
3 Select the menu item 2) Device Settings to configure the network settings for the Deep Discovery
Inspector. Click Enter.
4 In the Device Settings, enter the following configuration:
Type: static
IP address: 192.168.2.110
Subnet mask: 255.255.255.0
Gateway: 192.168.2.1
DNS server 1: 10.34.47.251
DNS server 2: 8.8.8.8
10 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
5 To save your settings, use the Enter Key to navigate to Return to main menu.
6 Next, select the option 6) Log Off with Saving and press the Enter key.
7 With OK selected, press ENTER to confirm the save action.
© 2023 Trend Micro Inc. Education 11
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
8 This displays the following screen, indicating the URL for accessing the Deep Discovery Inspector
web console.
This URL will be needed in the next activity below.
Activating Deep Discovery Inspector
In this activity, students will activate the Deep Discovery Inspector using the Deep Discovery
Inspector web console.
1 In the lab environment, switch to the VM-WIN2012 virtual machine.
2 To log in to Windows 2012, select the lock icon (CRTL+ALT+DEL) that is displayed in the top right-
hand corner of the window and enter the following credentials:
• Username: Administrator
• Password: trendmicro
3 Next, open a web browser and connect to the Deep Discovery Inspector web console using the
following URL: https://192.168.2.110.
Alternatively, you can use the DDI tab that is provided in the web browser Favorites.
4 If a security certificate error appears, click Continue to this website (not recommended) and
accept the security warning.
5 Log in to the Deep Discovery Inspector web console using the credentials admin/admin.
12 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
6 Click Log on or hit Enter. You will be prompted to change the admin user’s password. Enter the
New password: Trendmicro0! which meets the password criteria as indicated below.
7 Click Save or hit Enter to continue.
8 At this point, the Deep Discovery Inspector must be activated. Click the link Specify a valid
Activation Code shown in the banner beneath the menu, then click New Activation Code.
© 2023 Trend Micro Inc. Education 13
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
9 Enter the Activation Code that resides on the Windows Desktop in the file named license.txt
and click Save.
10 Next, click Agree to accept the license agreement.
11 From the Licenses screen, click the Refresh button in order to update the license status. The
Deep Discovery Inspector license status should now appear as Activated.
14 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Disabling Smart Feedback in DDI and DDAN
An additional Lab Preparation activity to perform before completing the Deep Discovery Analyzer
exercises in this lab, is to disable the Smart Feedback function in DDI and DDAN. The steps are
provided below.
Note: This is only a requirement for the purposes of our virtual lab environment in order for the lab
exercises to work correctly.
1 Still connected to the Deep Discovery Inspector web console (https://192.168.2.110) go to
Administration > Monitoring/Scanning > Threat Detections.
2 Under Smart Feedback, remove the check mark in the box for Enable Smart Feedback
(recommended) to disable it as follows:
3 Click Save to continue.
4 Next, connect to the Deep Discovery Analyzer web console by browsing to:
https://192.168.2.120
(Alternatively, you can use the DDAN tab that is provided in the browser Bookmarks bar.)
• Log in to the Deep Discovery Analyzer web console using the following credentials:
- admin / Trendmicro0!
© 2023 Trend Micro Inc. Education 15
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
5 In the Deep Discovery Analyzer web console, go to Virtual Analyzer > Sandbox Management >
Smart Feedback and uncheck the option Enable Smart Feedback (recommended).
6 Click Save after you have disabled Smart Feedback.
16 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Exercise 2: Connecting Deep Discovery Inspector to
Deep Discovery Analyzer
This activity guides you through the steps for connecting Deep Discovery Inspector to Deep Discovery
Analyzer for sandbox analysis. As already noted above, to avoid possible time constraints, the Deep
Discovery Analyzer has been pre-installed and loaded already with a sandbox image that can be used for
investigating file submissions.
Best Practice: In actual deployments, always use sandbox images that closely match the
configuration of systems within your own network profile. For example, if the hosts in
your environment are running Windows 10, then you should create and import a
Windows 10 sandbox image that closely resembles those specific Windows 10
workstation configurations.
1 In the Deep Discovery Analyzer web console, go to Help > About. This is where the Deep
Discovery Analyzer API key is located that is needed in the next step to configure the connection
between Deep Discovery Analyzer and Deep Discovery Inspector.
2 Under Product Information, copy the Deep Discovery Analyzer API key.
3 Next, open a second tab in the web browser and connect to the Deep Discovery Inspector web
console.
© 2023 Trend Micro Inc. Education 17
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
4 In the Deep Discovery Inspector web console, go to Administration > Virtual Analyzer > Setup and
enable the check box Submit files to Virtual Analyzer.
5 Next, confirm that Virtual Analyzer is set to External and set the Server address to the DDAN’s IP
address: 192.168.2.120.
The DDAN has already been installed and fully configured on VM-ANALYZER for your use in the
vApp.
6 Next, In the API key field, paste in the API key that you obtained earlier from the Deep Discovery
Analyzer.
18 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
7 Verify the communications between the DDI and DDAN, by selecting Test Connection. Inform
your instructor if the connection test fails.
8 Once the connection has been verified, click OK to continue.
9 Next, click Save, and click OK to accept the Virtual Analyzer storage size warning message that
appears.
The changes will get applied.
© 2023 Trend Micro Inc. Education 19
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Exercise 3: Lab Preparation — Malware Samples
When Deep Discovery Inspector detects a suspicious sample, it will submit the file sample to Deep
Discovery Analyzer for virtual analysis. To test this capability in our student lab environment, suspicious
malware samples must be used that have not previously been recognized already by Deep Discovery
Analyzer, otherwise the sample will instead get recognized by the Deep Discovery ATSE engine in
real-time and (based on the default Deep Discovery Inspector file submission settings) the malware will
not be sent to Deep Discovery Analyzer for virtual sandbox analysis.
Note: For the purposes of having some DDAN analysis results to observe for the lab activities below, we
will configure the Deep Discovery Inspector to send “known” malware to Deep Discovery
Analyzer. Do NOT configure this in actual deployments unless you are doing so for testing
purposes only.
1 If not already logged into the Deep Discovery Inspector web console, log back in and go to
Administration > Virtual Analyzer.
2 Next, to configure which files Deep Discovery Inspector will submit to the virtual analyzer in Deep
Discovery Analyzer, select File Submissions from the navigation pane on the left.
3 By default, the following File Submission Rules are predefined:
Note: Transferred files are compared against Deep Discovery Inspector’s File Submission rules based
on priority. For example, if a file matches rule priority 1 (“Do not submit files”) and rule priority 2
(“Submit files”), the file will match “Do not submit files”. Ensure to take the priority order into
careful consideration when configuring File Submissions rules.
4 To enable the file submission for “Known Malware”, click the Edit icon at the end of line 1 for
Known malware.
20 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
5 In the New Submission Rule screen, select the option Submit which is listed under Action:
6 Click Update, and then click Save.
You have now configured Deep Discovery Inspector to submit known malware to the Deep
Discovery Analyzer in preparation for upcoming lab activities.
Exercise 4: Testing Virtual Sandbox Analysis Process
In the following activity, you will use an internal testing web page called demo.trendenablement.com
to generate malicious file samples that Deep Discovery Inspector will detect and then submit to the Deep
Discovery Analyzer for virtual sandboxing analysis.
1 Using a web browser on VM-WIN2012, connect to web site demo.trendenablement.com
(Alternately you can use the Deep Discovery Demo tab that is located in the web browser
Bookmarks bar.)
© 2023 Trend Micro Inc. Education 21
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
2 Log in to the Deep Discovery Demo web page using the following credentials:
trendse / demos
3 Click Download Sample #1 and save the file to your Desktop.DO NOT run the sample file.
4 When the “Sample sent and refresh” notification appears, click Close to continue downloading
the malware.
5 Wait 15-20 seconds, then connect to the web console of the Deep Discovery Analyzer.
6 Go to Virtual Analyzer > Submissions and select the Processing tab to view the submissions that
are currently being processed by the Deep Discovery Analyzer.
You should see the malwaresample1.exe file that you downloaded from the demo site in the
previous step similar to the following.
Note: If the Deep Discovery Inspector has NOT submitted this malware to DDAN after following the
above steps, please click on the Submit object link that appears at the top right-hand corner of
the Submissions page to manually submit the file to DDAN instead. This is a vApp lab
environment limitation only.
7 Once the virtual analysis process has completed, the event will appear under the Completed tab
as shown below.
22 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Note: It can take several minutes in the vApp environment for the event to appear. Proceed to the next
lab activity without waiting the come back to this step later to verify the results once enough
time has lapsed.
Exercise 5: Manually Submitting Suspicious Samples
to Deep Discovery Analyzer
In this exercise, the Deep Discovery Analyzer web console will be used to manually submit a file to the
Deep Discovery Analyzer virtual analyzer for further investigation.
Note: Files can alternately be manually submitted using the Deep Discovery Analyzer CLI tool located
in the following folder: DDAN/Administration/Tools.
For more information on using this submission tool, you can refer to the on-line Deep Discovery
Analyzer administration guide (https://docs.trendmicro.com/en-us/enterprise/
deep-discovery-analyzer-71/introduction/about-official-produ.aspx).
1 In the Deep Discovery Analyzer web console, go to Virtual Analyzer > Submissions and click the
link called Submit objects that appears in the top right hand corner of the web console (in blue
text).
© 2023 Trend Micro Inc. Education 23
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
2 Select Choose File then browse to C:/Lab_Files/distri/cve and select the file L1-1.doc.
3 Once the file is selected, click Open, then click Submit to send this file to the Deep Discovery
Analyzer.
4 Once the above sample file has been manually submitted, click the Processing tab to view the
submissions that are currently being processed by the Deep Discovery Analyzer.
The file will be listed as follows, with the Submitter information displaying as Manual Submission
to indicate that it was manually submitted to Deep Discovery Analyzer by a user.
5 In cases where the Deep Discovery Analyzer is not yet ready to process a received submission, it
will hold the object in the submissions queue until resources are available to analyze it. You can
view all submissions that are still waiting to be processed by the VA from the Queued tab.
Note: (OPTIONAL STEP) If you want to explore the DDAN submissions queuing process in your
environment, repeat the above step a few times to manually submit the sample
malwaresample1.exe that is located on your Desktop.
24 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
6 Once the analysis process has completed for the manually submitted L1-1.doc file, the
following event will be listed under the Completed tab.
Note: It can take several minutes (approximately 20 minutes) in the virtual lab environment for the
event to appear under the Completed tab. Do not wait for the sample to be processed. Continue
on to the next lab activity. You will have an opportunity to explore this sample again later.
© 2023 Trend Micro Inc. Education 25
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Exercise 6: Investigating Deep Discovery Analyzer
Virtual Analysis Results
In this activity, we will manually submit another sample and then investigate the analysis results
produced by Deep Discovery Analyzer.
1 Still on the Virtual Analyzer > Submissions page in the Deep Discovery Analyzer web console, use
the Submit objects button again to manually submit the file TRENDX_sign-A.exe located in
C:/Lab_Files/distri/trendx.
2 Once the file has been analyzed by Deep Discovery Analyzer, select the Completed tab. (It may
take a few minutes for the file to be analyzed.)
3 Click the entry for the TRENDX_sign-A.exe submission to view all the details.
This will display the Deep Discovery Analyzer Virtual Analyzer results similar to the following.
Notice the explanation for the sample listed next to Notable characteristics. This description will
indicate any suspicious or malware characteristics that Deep Discovery Analyzer observed when
executing this file in the virtual sandbox.
In this case, the sample exhibited Malformed, defective, or known malware traits.
The analysis information above will be examined more closely in a later step.
26 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
4 Next go to Dashboard > Virtual Analyzer Summary.
5 Take a bit of time to examine some of the information that is provided.
• How many files were analyzed in the Past 30 days?
• What was the threat severity?
• Were all the files that were analyzed Malicious?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
6 (Optional Step) Connect to the Deep Discovery Inspector web console, and verify the suspicious
objects results from the Deep Discovery Inspector. Go to Dashboard > Virtual Analyzer Status
and examine the Top Suspicious Files widget. Examine the information that is provided for the
analyzed files.
What was the name of the last file
analyzed?_____________________________________________________________________________
© 2023 Trend Micro Inc. Education 27
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
7 Back in the web console on the Deep Discovery Analyzer, go to Dashboard > Summary and from
the Virtual Analyzer Summary widget, select the number 3 link next to Submissions.
8 This automatically redirects you to the Virtual Analyzer > Submissions page where you can drill
down further to learn more about the analyzed objects.
9 Click on the entry for the file object L1-1.doc.
28 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
10 Next, select the HTML icon next to Report to display Virtual Analyzer report for this file.
This displays the Virtual Analyzer Report. A partial view of the report is shown in the following
illustration.
The Virtual Analyzer report provides detailed analysis information for the analyzed object to
help you and your SOC team investigate and mitigate risk. Notice that the Virtual Analyzer
classified this particular analyzed object as HIGH RISK.
© 2023 Trend Micro Inc. Education 29
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
11 Scroll down the report to find out why the VA classified the object as HIGH RISK. Hint: Examine
the Notable Threat Characteristics details as you did earlier.
Summarize here some threat characteristics that were observed by the VA when it analyzed the
object?
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
12 Did the Virtual Analyzer detect any dropped files? Explain.
Hint: The malware deleted files but it also dropped atleast one file. List the name of a dropped file
if you can find it? Can you tell which detection engine detected this file?
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
13 Scroll down Network Destinations. How many networks did the file try to access?_____________
14 To confirm your answers for step 12 above, examine the Dropped or Downloaded Files area. Was
the file a known malware?________
15 Under Suspicious Objects, is there a SHA1 value for the object? Provide the value here if there is
one.
______________________________________________________________________________________
16 Navigate to the Process Graph Legend to understand what the object did in the sandbox.
17 Try selecting the WINDWORD.EXE hyper-link to reveal more information.
What does the icon next to WINWORD.EXE signify? How can you find out? Were there any child
processes executed by the sample during virtual analysis?
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
30 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
18 Next, scroll down to MITRE ATT&CK Framework Tactics and Techniques?
19 Which two tactics were used and which technique(s) were used by each observed tactic?
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
20 Still in the MITRE ATT&CK Framework Tactics and Techniques section, select some of the
hyper-links listed under Techniques to familiarize yourself with the threat information that is
provided through MITRE ATT&CK. For example, Indicator Removal on Host:
© 2023 Trend Micro Inc. Education 31
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Exercise 7: Managing Suspicious Objects
In the following exercise, we will examine the details of the suspicious objects list generated by Deep
Discovery Analyzer.
1 Return to the Deep Discovery Analyzer web console, and go to Virtual Analyzer > Suspicious
Objects. The suspicious object list will appear similar to the following.
2 What are some of the entries that you see in your own Suspicious Objects listing?
______________________________________________________________________________________
______________________________________________________________________________________
3 Have any of these Suspicious Objects been synchronized with Deep Discovery Inspector yet?
How can you check?
______________________________________________________________________________________
4 Notice that clicking the hyper-link under Related Submissions, redirects you back to the
Submissions page, to that specific suspicious object submission where you can obtain all the
details that you explored earlier.
32 © 2023 Trend Micro Inc. Education
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
Exercise 8: Adding Suspicious Objects to the
Exceptions List
In the case where an analyzed object is safe and you no longer what the DDAN to analyze this file in the
future, DDAN provides the ability to move a Suspicious Object to the Exceptions List. In this exercise, the
Exceptions List will be explored in more detail.
1 Go back to Virtual Analyzer > Suspicious Objects in the Deep Discovery Analyzer web console and
enable the check-box for the domain wrs41.winshipway.com, and select Add to Exceptions.
2 Click OK to accept the prompt. This is notifying you that the new exception will never expire, and
newly detected items matching the exception, will not be added to the suspicious objects list.
3 Next, verify that this object has been successfully added to the Deep Discovery Analzyer’s
Exceptions list. (Hint: Check the Virtual Analyzer menu to find the Exceptions list.)
© 2023 Trend Micro Inc. Education 33
Lab 2: Submitting Suspicious Objects to Deep Discovery Analyzer
34 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery
Inspector on a Virtual Machine
In this lab, Deep Discovery Inspector web console will be used to complete the configuration of the Deep
Discovery Inspector. (Note, the Deep Discovery Inspector network settings were already configured in the
previous lab as part of the preparation steps for completing Deep Discovery Analyzer activities.)
Estimated time to complete this lab: 15 minutes
LAB OBJECTIVES
• Adding a Network Group
• Adding Registered Domains and Services
• Updating Components
• Setting Geographic Location
• Configuring Time Zone Settings
Exercise 1: Adding a Network Group
A very important step to enable Deep Discovery Inspector detection functionality, is to add your internal
network groups as monitored networks in Deep Discovery Inspector. This allows Deep Discovery
Inspector to determine whether attacks are originating from outside or inside your corporate network
environment when it detecting events. You can complete this task by performing the following steps.
1 In the Deep Discovery Inspector web console, go to Administration > Network Groups and Assets
> Network Groups.
By default, a network group called Default is already configured to monitor the entire network
that Deep Discovery Inspector can see traffic for. It is recommended to delete this network group
and create your own network groups with identifiable names that help to quickly pinpoint exact
network areas that may be affected when analyzing DDI threat detections.
© 2023 Trend Micro Inc. Education 35
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
2 Select the check box for the Group Name Default then click Delete.
3 When prompted, click OK to confirm this action.
4 Next, click Add and configure a new monitored network group using the following settings:
Group name: Company Network
IP address range: 192.168.2.0-192.168.2.255
Network zone: Trusted
The settings should appear as shown:
36 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
5 Click Add. This will list the newly added network as follows. Click Save to continue.
Deep Discovery Inspector is now correctly configured for our lab environment to identify
whether attack traffic is originating from within the monitored “Company Network” or from
outside.
Note: The above configuration is acceptable for use in our lab environment but is not ideal for actual
deployments. It is recommended to further enhance the above configuration based on the
environment being used. For example, the above monitored, Company Network, can be further
split into multiple network segments. Again, it will be important to use descriptive names, such as
“Finance”, and “IT” etc. to know exactly which part of the network may be under attack.
Importing Network Groups
In this next lab activity, the network group added above will be segmented into smaller groups (of
IP address ranges) by importing a pre-configured network file (cav.xml).
Deep Discovery Inspector will use this configuration for tagging detection logs, which makes it
easier for administrators to pinpoint where threats may be originating from or traveling to. Deep
Discovery Inspector will also display this information in reports and widgets.
1 In the Deep Discovery Inspector web console go to Administration > Network Groups and Assets.
© 2023 Trend Micro Inc. Education 37
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
2 Select Import/Export from the left-hand menu, then click Choose File.
3 Navigate to the Desktop folder and double-click the network configuration called cav.xml.
4 With the cav.xml file selected, click Import.
38 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
5 Click OK, to confirm this action. This will import the contents of the cav.xml network
configuration file.
6 Still in the Network Groups and Assets configuration page, click Network Groups from the menu
on the left.
The network group created earlier has been removed and replaced with a network called
MyOrganization.
7 Click the plus sign in front of My Organization to expand the group. This will display the following
network segments that were imported from the cav.xml file.
© 2023 Trend Micro Inc. Education 39
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
8 Hover the mouse pointer over one of the network segments in the list. Notice that this provides
an option to add a subgroup at that organizational level.
9 Click the Add Subgroup button for the Development Test Lab group. This displays the following
configuration settings.
40 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
10 Add the following Sub-group settings:
Group name: Staging Group
IP address range: 192.168.2.41-192.168.2.45
11 Click Add. The new sub-group will appear as follows:
12 Click Save.
© 2023 Trend Micro Inc. Education 41
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
Exercise 2: Adding Registered Domains and Services
With the network groups now correctly configured, the next step in the configuration is to set up your
internal “trusted” domains and services. This lets the Deep Discovery Inspector know which services and
servers are known, “legitimate” internal services and servers within your protected environment. This
configuration will keep the Deep Discovery Inspector detection logs free of unnecessary log entries for
connections that are in fact valid connections. Failing to add any registered domains and services within
Deep Discovery Inspector, will cause legitimate services to be detected as an “unregistered service”
event which may be incorrectly interpreted as a potential threat. Therefore, you should pay special
attention when configuring registered domains.
Adding Registered Domains
The steps below will guide you through the necessary steps for adding your network’s “trusted”
domains to the Deep Discovery Inspector.
1 Still logged in to the Deep Discovery Inspector web console, go to Administration > Network
Groups and Assets.
2 Select Registered Domains from the menu on the left.
3 Next, click Analyze.
This instructs Deep Discovery Inspector to analyze all the traffic that has been observed so far to
determine any domains and services being used in the network.
42 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
Since we are using a simplified network configuration in the virtual lab environment for this
training, no trusted domains will be auto-discovered by Deep Discovery Inspector at this point.
Note: In environments where domains cannot be automatically discovered by Deep Discovery Inspector
using the Analyze button, the trusted domains must be manually added to the Registered
Domain configuration. This process will be completed below.
4 Click Close, to exit from the Analyze window, then click + Add.
5 Enter the following domains as trusted domains. The domains can all be entered in at once using
a space or comma after each entry.
- ntp.cloud.trendmicro
- dns.cloud.trendmicro
- mail.cloud.trendmicro
6 Type in an optional description, then click Add.
© 2023 Trend Micro Inc. Education 43
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
The newly added domains will appear in the Registered Domain configuration as follows:
Adding Registered Services
In this activity, you will be adding required trusted services to the Registered Services
configuration in Deep Discovery Inspector.
This configuration is used to prevent Deep Discovery Inspector from logging detections for your
trusted and legitimate network services.
1 From the Network Groups and Assets menu on the left, select Registered Services and click Add.
44 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
2 Next, configure the following registered services then click Add.
Services: DNS,SMTP
IP address: 10.34.47.251
Description: Corporate DNS and SMTP service
After clicking Add, you will have the following Registered Services defined for the network.
With this configuration, the Deep Discovery Inspector will no longer log detections for DNS
responses and SMTP service detections for the above defined hosts.
© 2023 Trend Micro Inc. Education 45
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
Exercise 3: Updating Components
Normally after adding your trusted domains and services in the Deep Discovery Inspector Registered
Domains and Registered Services configuration (completed in the previous activity), the next step is to
add any required proxies that Deep Discovery Inspector must use for access to the Internet.
Since our lab environment has been simplified for training purposes, there is no proxy server required for
Internet access, and so we can skip this configuration in the Deep Discovery Inspector. Instead, you will
proceed to configuring the Deep Discovery Inspector update process by performing the steps below.
Note: To ensure proper functionality in Deep Discovery Inspector, components should be updated on a
regular basis.
To run manual system update, complete the following steps:
1 In the Deep Discovery Inspector web console, go to Administration > Updates > Manual. The Deep
Discovery Inspector will check for any new components that may be available. If any of the
components in Deep Discovery Inspector are out of date, they will be shown in red and there will
be an option to click Update to start the update process.
46 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
2 Select Update if applicable. This will begin the update process.
Note: If there are several outdated components, the update process can take a few minutes to
complete. In this event, proceed to the next step to save time and you can check back later on the
status of the update. The update process will continue running in the background.
3 Once updated, the components will be listed similar to the following:
© 2023 Trend Micro Inc. Education 47
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
4 Click Source from the menu on the left and review the update settings. By default, the update
function uses the Trend Micro Active Update Server for sourcing updates. Note that in
environments with Apex Central, you have the option of setting the Source for updates to Apex
Central instead by selecting the option Other update source and entering in the URL for the Apex
Central.
5 Next, click Scheduled from the left menu to view the default update schedule (every 2 hours).
6 Change the scheduled updates configuration to Update every: 1 hour then click Save.
Best Practice: In actual deployments, set the update to occur during non-peak traffic periods.
48 © 2023 Trend Micro Inc. Education
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
Exercise 4: Setting Geographic Location
In the steps below, you will now configure the geographic location of the Deep Discovery Inspector using
the web console Dashboard page.
1 In the Deep Discovery Inspector web console, go to Dashboard > Threat Monitoring then select
Widget Settings.
2 In the Threat Geographic Map window enter a Title for this window (or accept the default) then
select your location by scrolling through the available choices in the drop down list. Click Apply.
© 2023 Trend Micro Inc. Education 49
Lab 3: Configuring Deep Discovery Inspector on a Virtual Machine
This sets up a Threat Geographic map similar to the following, for the country you selected.
Exercise 5: Configuring Time Zone Settings
Next, for proper detection functionality you must ensure that the correct time settings are configured for
the Deep Discovery Inspector. Perform the steps below to complete this activity.
1 In the Deep Discovery Inspector web console go to Administration > System Settings > Time and
configure the correct time zone for your location similar to the following.
2 Click Save. At this time, please also verify that VM-WIN2012 also has the correct timezone
settings for your geographical region.
50 © 2023 Trend Micro Inc. Education
Lab 4: Verifying the Deep Discovery
Inspector Installation
Now that Deep Discovery Inspector has been configured, all of the VMs in the Monitored Networks (that
we added in the previous lab), will now be monitored by Deep Discovery Inspector. For example, the
VM-WIN2012 computer that is in your lab network will now be monitored by Deep Discovery Inspector
which will be verified in the steps below.
Estimated time to complete this lab: 20 minutes
LAB OBJECTIVES
• Verifying Access to Back-end Services
• Testing with Demo Rules
• Testing the URL Filtering Engine
• Testing NCIE-Based Detections
Exercise 1: Verifying Access to Back-end Services
Deep Discovery Inspector requires an Internet connection to query various Trend Micro cloud-based
services (including WRS and CSSS etc.) to obtain information about emerging threats. After completing
a new deployment into a target network segment, it is important to check if Deep Discovery Inspector is
able to connect to required Internet and back-end services.
Perform the following steps to verify network connections to Trend Micro back-end services used by Deep
Discovery Inspector.
1 Still on the VM-WIN2012 computer, open a new web browser tab and this time connect to the
Deep Discovery Inspector Troubleshooting web console at:
https://192.168.2.110/html/troubleshooting.htm
Alternately, you can use the DDI-Trouble Shooting tab that is listed in the browser Favorites Bar.
The following page will be displayed:
© 2023 Trend Micro Inc. Education 51
Lab 4: Verifying the Deep Discovery Inspector Installation
2 In the Troubleshooting web console, select Network Services Diagnostics from the menu options
on the left. Next, verify that all of the network services are selected then click Test.
3 The Result column should now indicate Testing... while the connection test is in progress. Wait for
the test to be completed.
Note: The time required to complete the services test depends on the network environment and the
number of services that you have selected.
52 © 2023 Trend Micro Inc. Education
Lab 4: Verifying the Deep Discovery Inspector Installation
4 Once the test function has completed, view all the connection test results displayed in the Result
column. All the services should now appear as “Connected”.
5 Once you have verified the above connections, close the DDI Troubleshooting web console
window.
© 2023 Trend Micro Inc. Education 53
Lab 4: Verifying the Deep Discovery Inspector Installation
Exercise 2: Testing with Demo Rules
To help deploy Deep Discovery Inspector effectively and validate whether it is correctly able to receive
traffic and trigger detections successfully, Deep Discovery Inspector provides the following built-in demo
rules.
• Rule 2244 - DEMO RULE - ICMP (Request)
• Rule 2245 - DEMO RULE - DNS (Request)
• Rule 2246 - DEMO RULE - HTTP (Request)
• Rule 2247 - DEMO RULE - SMB (Request)
• Rule 2248 - DEMO RULE - SMTP (Request)
• Rule 2249 - DEMO RULE - KERBEROS (Request)
Note: If a network event detected by Deep Discovery Inspector matches any of the above built-in demo
rules, these detections will be assigned a severity level of Informational. Rules used by Deep
Discovery Inspector to detect threats in your own network and how to configure them exactly,
will be covered in much more detail later in the training. For now, we are only using the built-in
demo rules in order to confirm that our Deep Discovery Inspector setup is working correctly.
In this exercise, we will run a DNS query to trigger the above DNS (request) demo rule Rule 2245 -
DEMO RULE - DNS (Request). This is very useful for verifying proper installation and detection
functionality of the Network Content Inspection Engine (NCIE) in your Deep Discovery Inspector.
The following steps can be performed on ANY host that is located in your Deep Discovery Inspector
monitored network. For our lab environment, we will use the VM-WIN2012 computer, to complete these
steps.
1 Still connected to the VM-WIN2012 computer in the lab environment, select the Command
Prompt from the Windows taskbar to open a command prompt window.
2 Next, enter the command nslookup ddi.detection.test to generate a DNS request
packet to resolve the domain: ddi.detection.test. The following results will be displayed
indicating that the domain does not exist.
If the Deep Discovery Inspector is working correctly in your environment and is able to see all the
network traffic for the network segments it is monitoring (as defined in a previous lab activity),
then this DNS request should be detected by Deep Discovery Inspector. This will be verified in the
next step.
54 © 2023 Trend Micro Inc. Education
Lab 4: Verifying the Deep Discovery Inspector Installation
3 Return to the Deep Discovery Inspector web console.
4 To check if the Deep Discovery Inspector correctly detected the DNS request executed above, go
to Detections > All Detections.
5 Under the column Protocol, look for DNS Request.
You will notice that there is no detection shown at all for the DNS request.
Why? (HINT: Review the “Note” that was provided in the previous page regarding demo rule
detections.)
6 Next, let’s view the All Detections again, only this time, set the Detection Severity sliding bar to
ALL severity levels. You should now be able view the detection (with the severity type:
Informational) that was made by Deep Discovery Inspector for the above DNS request.
7 Move across the columns to the right and view the information provided for this detection.
Notice the Attack Phase for this threat.
© 2023 Trend Micro Inc. Education 55
Lab 4: Verifying the Deep Discovery Inspector Installation
Note: Each built-in demo rule will trigger an event with different attack phases displayed. For example,
in this case, the attack phase is C&C Communication. Additionally, each demo rule detection
will generate a maximum of 10 log entries.
8 Next, to display additional details generated by Deep Discovery Inspector for this detection click
the icon that appears under the Details column. Note the rule ID, notable object, and threat
description for this detection.
56 © 2023 Trend Micro Inc. Education
Lab 4: Verifying the Deep Discovery Inspector Installation
9 Click the hyper-linked rule number (Detection rule ID) to open the Trend Micro Encyclopedia
where more information can be obtained on this rule.
10 If the link does not open the Trend Micro Encyclopedia page, repeat the above step using the
Chrome web browser.
© 2023 Trend Micro Inc. Education 57
Lab 4: Verifying the Deep Discovery Inspector Installation
11 The rule id hyper-link opens the following Trend Micro Threat Encyclopedia web page.
From this page, you will be able to obtain all the details for the related rule. In this case, rule
2245 is a demo rule therefore the information provided is not very interesting. For actual rules,
the information provided can be very helpful. You will note that various actions are listed under
Solution. These provide useful recommendations for incident response activities.
58 © 2023 Trend Micro Inc. Education
Lab 4: Verifying the Deep Discovery Inspector Installation
12 Before moving to the next activity, spend some additional time viewing the details for this event
so that you can become more familiar with the threat information that is available to you when
investigating your own threat detections.
Note: For more information about the built-in demo rules, refer to the Knowledge base article:
Using Deep Discovery Inspector (DDI) demo rules to validate monitored traffic.
Exercise 3: Testing the URL Filtering Engine
In this exercise, a URL violation will be triggered to examine the corresponding detection made by the
Deep Discovery Inspector URL Filtering engine.
1 Still connected to the VM-WIN2012 computer in the lab environment, connect to the following
URL from a web browser. Ensure that you are using HTTP for this test.
http://wrs41.winshipway.com
You can alternately select the wrs41 tab listed in the in the web browser Favorites bar.
The following page should be displayed:
2 Back in the Deep Discovery Inspector web console, go to Detections > All Detections.
3 From the list of detections, find the URL detection for the above URL violation, and click the
Details icon to view additional information about this particular detection.
© 2023 Trend Micro Inc. Education 59
Lab 4: Verifying the Deep Discovery Inspector Installation
4 Based on the details provided for this Malicious URL detection, which component detected this
threat? List a few other details that are provided for this particular detection.
5 Close the Detection Details page, once you have completed viewing the information.
Note: In upcoming lab activities, we will explore the Detections information in a lot more detail to gain
a much deeper understanding of threat analysis.
60 © 2023 Trend Micro Inc. Education
Lab 4: Verifying the Deep Discovery Inspector Installation
Exercise 4: Testing NCIE-Based Detections
The Network Content Inspection Engine (NCIE) is used to perform network scanning to see any malicious
content or payload inside of network traffic that is targeting known vulnerabilities or exploitations.
To verify if the NCIE service is functioning correctly within Deep Discovery Inspector, perform the steps
below:
1 In the web browser, enter the following URL (exactly as shown). You can alternately copy this
command from the commands.txt file that is located on the Win2012 desktop and paste it into
the web browser’s search bar OR use the “Traversal” shortcut in the web browser Bookmarks/
Favorites bar.
http://demo.trendenablement.com/cgi-bin/cmd.exe?/c+dir
Click Cancel when prompted to enter the credentials to complete the attack. After clicking
Cancel, the following HTTP error should appear:
Note: The above URL string, generates a web folder traversal attack. This is an attack that is
commonly used by cyber threat actors to gain unauthorized access to restricted directories and
execute commands outside of the web server's root directory.
2 In the Deep Discovery Inspector web console, go to Detections > All Detections in order to view
the Deep Discovery Inspector detection for the above web folder traversal violation.
A detection should appear similar to the following (see Notable Object column):
© 2023 Trend Micro Inc. Education 61
Lab 4: Verifying the Deep Discovery Inspector Installation
3 Click the Details icon to view additional information for this violation.
4 Examine the details that are available for Attack Phase, Threat Description and Protocol
Information that are shown for this NCIE (Network Content Inspection Engine) detection.
62 © 2023 Trend Micro Inc. Education
Lab 5: Troubleshooting
In the following lab activities, various functions will be explored for troubleshooting common system
problems, and sending debug information to Trend Micro support for specific issues that you may run
into.
Note: Before performing any troubleshooting functions, check to ensure that your Deep Discovery
Inspector is using a current valid license, and that it is activated.
Estimated time to complete this lab: 20 minutes
LAB OBJECTIVES
• Identify if DDI Can See Network Traffic
• Verifying Detection Capabilities
• Checking Current System Status of Deep Discovery Inspector
• Generating and Exporting Debug Logs
Exercise 1: Identify if DDI Can See Network Traffic
There are multiple ways to identify, whether DDI can see specific network traffic. This might be as simple
as initiating a big download on one machine or running a packet capture and trying to identify whether
specific communication is recorded in the packet capture. You will use both of these methods in the
activities below.
Display Current Throughput of the Deep Discovery Inspector
In this activity, miscellaneous files will be downloaded from a web browser on VM-WIN2012 to check if
Deep Discovery Inspector throughput is affected. This will indicate that it is seeing the traffic.
1 Open a web browser and navigate to any web site and download files to generate some web
traffic. For example, navigate to http://www.kernel.org and download the latest kernel.
2 While the file is being downloaded, access the Deep Discovery Inspector web console and
observe the throughput indicator located in the top right corner of the screen.
© 2023 Trend Micro Inc. Education 63
Lab 5: Troubleshooting
The throughput indicator indicates the amount of network traffic that is scanned by Deep
Discovery Inspector.
You should observe a spike occurring during the download phase.
Using Packet Captures to Verify Network Traffic
In this activity, you will generate network packet captures verify if Deep Discovery Inspector is able to
see your web traffic.
1 In the Deep Discovery Inspector, go to Administration > System Settings and select Network
Interface from the menu options on the left.
2 Next, click the link Network Traffic Dump. This will redirect you to the Deep Discovery Inspector’s
Troubleshooting portal Network Traffic Dump page.
3 Click Capture Packets then open a new web browser tab and initiate some traffic. For example,
you can repeat the same download of the Linux Kernel from the previous activity.
64 © 2023 Trend Micro Inc. Education
Lab 5: Troubleshooting
4 Once some traffic has been generated, return to the Deep Discovery Inspector Troubleshooting
page and click Stop to stop the packet capture.
5 Once the packet capture has been stopped, you will now have the option to View, Export or Reset
the latest Packet Capture. Click View.
© 2023 Trend Micro Inc. Education 65
Lab 5: Troubleshooting
6 This will open the internal network analyzer in DDI as follows where you can confirm whether or
not the traffic can be seen by Deep Discovery Inspector.
Note: Alternatively, in the previous step, you could have exported the packet capture to a file and then
used an external packet analyzer, such as Wireshark, to confirm if the traffic was correctly seen
and captured by Deep Discovery Inspector.
66 © 2023 Trend Micro Inc. Education
Lab 5: Troubleshooting
Exercise 2: Verifying Detection Capabilities
When verifying detection functionality in Deep Discovery Inspector, you must first ensure that there is no
URL filtering activated on your workstation. Otherwise, any URL requests used for testing purposes to
test detection capabilities will be blocked and Deep Discovery Inspector will not see this traffic.
In the steps below, you will use a Ransomware test URL to verify if Deep Discovery Inspector is able to
correctly detect this threat.
1 Open a web browser on VM-WIN2012, and enter the following Ransomware test URL:
http://ca95-1.winshipway.com
2 The following output will be displayed:
3 Next, open a new web browser tab, and access the Deep Discovery Inspector web console.
4 Go to Detections > All Detections and verify that the Ransomware was correctly detected by Deep
Discovery Inspector. The detection will appear similar to the following:
If there is no detection indicated as above you can perform these additional checks as outlined in
the steps below.
5 Ensure that your workstation IP is in the IP range currently being monitored by your Deep
Discovery. This can be verified in the web console. Go to Administration > Network Groups and
Assets > Network Groups.
If the IP of the workstation is included in the monitored IP range, then the next step is to ensure
that the Deep Discovery Inspector is able to connect to required Trend Micro back-end services
as outlined in the next step.
6 Connect to the Deep Discovery Inspector Troubleshooting Portal.
https://192.168.2.110/html/troubleshooting.htm
7 From the menu on the left, click Network Services Diagnostics.
© 2023 Trend Micro Inc. Education 67
Lab 5: Troubleshooting
8 Verify that all the services are selected (checkbox is enabled) then click Test.
9 Ensure that all the Trend Micro back-end services are showing a status of connected similar to
above (sample snippet of screen).
68 © 2023 Trend Micro Inc. Education
Lab 5: Troubleshooting
Exercise 3: Checking Current System Status of Deep
Discovery Inspector
In the following activity the Deep Discovery Inspector web console Dashboard will be used to verify the
Deep Discovery Inspector’s current system status.
1 In the Deep Discovery Inspector web console, go to Dashboard > System Status.
The following System Status widgets allow you to very easily see if the Deep Discovery Inspector
is properly working or is currently overloaded.
© 2023 Trend Micro Inc. Education 69
Lab 5: Troubleshooting
Exercise 4: Restoring System Utilization
In cases where Deep Discovery Inspector is heavily utilized, or overloaded (the bars for CPU shown in the
previous activity will appear as yellow or red), the following best practices can be used to help restore
utilization to more normal limits.
1 Go to Administration > Monitoring / Scanning > Detection Rules and disable any detection rules
that are NOT required in your environment. Try this now, by clicking on the check mark icon for a
rule to disable it. Do not save any detection rule changes at this time.
2 Go to Administration > Virtual Analyzer > File Submissions and verify that you are using the
correct Virtual Analyzer File Submissions for your environment. If ALL files are being submitted,
Virtual Analyzer might be analyzing more files than it should be.
Note: In our lab environment, we have enabled the submission of known malware to generate more
detections for the purposes of having enough detections to work with in the lab activities.
Do not make any changes to the File Submissions settings at this time.
3 Next, go to Administration > Monitoring / Scanning > Deny List / Allow List. Allow & Deny lists can
be used to reduce analysis requirements. Leave the settings unchanged. You will have a chance
to configure Allow & Deny lists in upcoming lab activities.
70 © 2023 Trend Micro Inc. Education
Lab 5: Troubleshooting
Exercise 5: Generating and Exporting Debug Logs
To create useful debug logs, it is important to first correctly configure any required debug log settings,
and then reproduce the issue you are experiencing, before exporting the debug logs for Trend Micro
Technical Support.
The following lab activity will guide you through this process.
1 Open a web browser and connect to the following URL to access the Deep Discovery Inspector
Troubleshooting portal:
https://192.168.2.110/html/troubleshooting.htm
The troubleshooting page will display the Debug Log Settings. Note that by default, the debug
logs are all set to “Error”. This is required for normal system operation for the device.
© 2023 Trend Micro Inc. Education 71
Lab 5: Troubleshooting
2 Next, depending on the module you are troubleshooting, Trend Micro Technical Support may
instruct you to set various modules shown here to “Debug” mode. Try setting the tmufed
detection debug log setting to debug as follows:
3 Once the various debug settings have been configured, click Save.
4 Once you have configured the debug logs (as instructed by your Trend Micro Technical Support
representative), you will then need to reproduce the DDI issue or problem that you are
experiencing. For demonstration purposes, open a new browser tab and connect to the following
URL: wrs41.winshipway.com. You can alternately select the wrs41 tab listed in the in the
web browser Favorites bar.
5 After reproducing an issue, in this case, generating a web reputation violation, the next step is to
export the Debug Logs by clicking on Export.
72 © 2023 Trend Micro Inc. Education
Lab 5: Troubleshooting
6 This will download the debug archive file debug_log.zip to your local machine.
Once downloaded to your workstation, this debug archive can then be sent to your Trend Micro
Technical Support representative for further troubleshooting assistance.
7 IMPORTANT: After you have completed your debugging using the above steps, you must reset
the debug log levels back to Error and click Save. This configuration is illustration below.
Note: If the Debug setting is not set back to Error, this can negatively affect Deep Discovery Inspector’s
performance.
© 2023 Trend Micro Inc. Education 73
Lab 5: Troubleshooting
74 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for
Investigating Threats
In the following lab activities, pre-existing packet captures of various events will be used/played in order
generate a number of Deep Discovery Inspector detections, that will then be explored using widgets in
the Deep Discovery Inspector web console Dashboard. Dashboard widgets provide easy to understand
graphical views of the threats affecting the monitored network, where you can drill down to find the root
sources (for example, the affected hosts) of the threats. This allows the ability to prioritize further
investigations that must take place to prevent further attacks.
Estimated time to complete this lab: 45 minutes
LAB OBJECTIVES
• Lab Preparation - Generating Detections using Packet Captures
• Investigating Dashboard Widget Information
• Finding the Root Cause
• Using Top Affected Hosts Widgets to Identify Compromised Hosts
• Finding non-Windows Malware
Exercise 1: Lab Preparation - Generating Detections
using Packet Captures
In this activity, the Colasoft packet player application will be used to play a pre-existing packet capture in
your lab environment in order to generate a group of detections for upcoming activities.
1 Sill connected to the VM-WIN2012 computer in the lab environment, run the Colasoft Packet
Player using the shortcut to the application that is located on the Desktop.
© 2023 Trend Micro Inc. Education 75
Lab 6: Using Dashboard Widgets for Investigating Threats
2 This opens the application as follows. Ensure that the Adapter is set as follows.
3 Next if there are any packet files already loaded the Packet File: section as follows. click Clear.
76 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
4 Next, click Add File(s).
5 Browse to the PcapsStage1 folder that is located on the Desktop, select all the files at once (by
clicking in the list and pressing the CTRL-A) and click Open.
© 2023 Trend Micro Inc. Education 77
Lab 6: Using Dashboard Widgets for Investigating Threats
This displays the following list of packet files.
6 Under Options, change the play speed to Burst then click Play.
78 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
7 After the packet file playback has stopped, return to the Deep Discovery Inspector web console
and go to Detections > All Detections to confirm that detections were made for the packet
captures you ran in the previous step. The output should appear similar to the following.
Exercise 2: Investigating Dashboard Widget
Information
In this exercise, Deep Discovery Inspector Dashboard widgets will be used to examine the detections
made for the packet captures you ran in the previous activity.
Lab Activity Notes:
The Dashboard in the Deep Discovery Inspector web console is populated based on a 10 minute
interval, whereas the Detections > All Detections page is updated in real-time.
When performing the steps below, do not wait for the web console to refresh. Even if your
widgets do not exactly match the illustrations in this lab, please move on to the next step so that
you will have enough time to complete all the lab activities. You can recheck your widgets at any
point to see the refreshed results.
1 In the Deep Discovery Inspector web console select the Dashboard.
2 Next, select the Summary tab, then in the top-right corner click +Add Widgets.
© 2023 Trend Micro Inc. Education 79
Lab 6: Using Dashboard Widgets for Investigating Threats
3 From the left-hand menu, go to Top Trends, then scroll down (or type “malware” in the Search
field) and select the widget Top Malware-infected Hosts.
4 Click Add to add the Top Malware-infected Hosts widget to the dashboard.
5 From the Summary tab in the Dashboard, locate the Top Malware-infected Hosts widget that was
just added.
6 In the top-right corner of the widget, select the down arrow and click Widget Settings to access
the customization options for this widget.
7 Select Bar Chart then click Apply.
Note: At this point, proceed with the next steps in this activity as it will take a few minutes for the
refresh to occur, and for the host machine to appear in the widget. This widget will be re-
examined in a later step.
8 Go to Detections > Affected Hosts.
9 Click the IP address 192.168.106.141 from the Affected Hosts list and review the information
that is provided in the Host Details page that is displayed. If the 10 minute refresh did not occur
yet, the entry may not be there.
80 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
You can alternately go to All Detections instead, and review the same ransomware details from
there.
10 Close the current Host Details page and return to the Dashboard page.
11 Navigate to the Top Malware-infected Hosts widget, and click the bar for the IP address
192.168.106.141.
This provides is more convenient way to link directly to the same Host Details page seen earlier.
Best Practice: Using the Dashboard as a starting point during threat analysis makes it easier to
drill-down directly to the information that is most important to you.
© 2023 Trend Micro Inc. Education 81
Lab 6: Using Dashboard Widgets for Investigating Threats
12 In the Host Details page, try to determine the following information about this particular
‘malware’ detection.
• In which Attack Phase was the detection made?______________________________________
• What was the severity of this detection?_____________________________________________
• Can you determine in which Network Group this event was detected in?_________________
13 Select the icon under the Details column to view the full detection details for this detection.
82 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
14 Examine all the information provided for this threat and try to determine the following:
• Which Detection Rule ID was matched? Why was this rule triggered?
___________________________________________________________________________________
• Are there other rules which can detect communication from a poison ivy RAT? Where can
you look to find out?
___________________________________________________________________________________
• List the MITRE Tactics and Techniques typically observed for this attack?
___________________________________________________________________________________
• Which IP address did the affected host connect to? Were any other hosts affected?
___________________________________________________________________________________
• Which DDI engine detected this threat?
___________________________________________________________________________________
• In which Attack Phase was the detection made?
___________________________________________________________________________________
© 2023 Trend Micro Inc. Education 83
Lab 6: Using Dashboard Widgets for Investigating Threats
Exercise 3: Finding the Root Cause
In the last activity, host 192.168.106.141 is suspected of being compromised because Deep Discovery has
detected POISONIVY communications coming from it.
Note: Top Malware-infected Hosts widget only shows detections which indicate the host has been
compromised, which will not include all of the detections triggered for that particular host.
In this exercise the Top Affected Hosts widget will be used to help identify the root cause of detected
events from a different host.
1 Return to the Dashboard page in the Deep Discovery Inspector web console.
2 Select the Summary tab, and navigate to the Top Affected Hosts widget.
Unlike the previous widget, these events do not necessarily mean the host is compromised. For
example, a generated event could have been handled by an end point security solution.
84 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
3 Next, click the row for host 172.16.100.17 to see more information. This will display all the events
associated with this host for the given time frame similar to the following:
• Here, we can see that a malicious java Java_Gondy.A is download by the host.
• This is a Trojan which is part of a Java applet that exploits a Java Runtime Environment
(JRE) vulnerability.
• The attack checks if the system is running on Windows OS and downloads and executes a
file detected as BKDR_POISON.BLW.
• The malicious Java applet then deletes the binary once executed.
4 Click each of the above Details icon to view the information for the full attack process described
above.
© 2023 Trend Micro Inc. Education 85
Lab 6: Using Dashboard Widgets for Investigating Threats
Exercise 4: Using Top Affected Hosts Widgets to
Identify Compromised Hosts
In this exercise, the Top Affected Hosts widget will be used again, but this time to investigate different
attacks.
1 Repeat the activity “Lab Preparation - Generating Detections using Packet Captures” on page 75
(Steps 1 to 4), only this time run the packet captures from the PcapsStage2 folder.
2 In the Deep Discovery Inspector web console go to Detections > All Detections.
Note: After the above detections are displayed, it will take another 10 minutes for the Dashboard
widgets to be refreshed and populated with this new information.
86 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
3 Next, go to the Dashboard and select the Summary tab.
4 Navigate to the Top Affected Hosts widget again as we did earlier, only this time note the Host
Severity for each affected host.
Note: Based on the events detected, the Host Severity is the impact on a host as determined from
aggregated detections by Trend Micro products and services.
This helps determine the likelihood of the host being compromised. For more information refer to
the Deep Discovery Inspector Online Help or Administrator’s Guide.
© 2023 Trend Micro Inc. Education 87
Lab 6: Using Dashboard Widgets for Investigating Threats
Exercise 5: Viewing C&C Communications
1 From the Deep Discovery Inspector web console, go to the Dashboard and select the Threat
Monitoring tab
2 From the second drop-down menu, select Malware callback (C&C) destinations.
3 Click the country name displayed in the right-side pane to view specifics about the malware and
the events.
4 Next, click on the number 2 hyper-link shown under Event in the Singapore details to see the
specific events.
88 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
This also links to the All Detections page, but this time, the output has been filtered by the C&C
server IP address as follows.
5 Return to the Dashboard and navigate to the Threats at a Glance widget.
6 Click the hyper-link number shown for C&C Communication detections.
This will link to the Detection > Affected Hosts page filtered by Hosts with C&C Communication
detections.
7 In the Affected Hosts page, select the hyper-link number provided under the C&C
Communications column.
Note: Affected Hosts detections will be explored in more detail in a later activity.
© 2023 Trend Micro Inc. Education 89
Lab 6: Using Dashboard Widgets for Investigating Threats
8 This will display the following details about the C&C callback server. View the Peer Host column
for the name of the C&C server that was detected.
9 Next, click the icon under the Details column for the poison ivy threat.
This will display the full detection details that we have mostly already explored for this threat in
an earlier activity. In the next lab, you will look at some additional threat information that is
provided by Deep Discovery Inspector.
10 Leave this page open and proceed to the next exercise.
90 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
Exercise 6: Using Threat Connect to Obtain Threat
Intelligence
Threat Connect provides on-demand access to Trend Micro intelligence databases, enabling you to
identify and investigate potential threats to your environment.
In this exercise, you will examine the Threat Connect information for the same C&C Communication
detection as in the previous activity.
1 In the Detection Details page for the poison ivy event, click the button View in Threat Connect.
© 2023 Trend Micro Inc. Education 91
Lab 6: Using Dashboard Widgets for Investigating Threats
2 This opens a connection to Trend Micro’s Threat Connect portal similar to the following.
Here, you can view the correlated threat data from the Trend Micro Global Intelligence Network
to help you better understand the threats or suspicious objects in your network.
92 © 2023 Trend Micro Inc. Education
Lab 6: Using Dashboard Widgets for Investigating Threats
3 Next, under Relevant Threat Information, click View Report the TROJAN variant.
This will display information similar to the following:
4 Examine and familiarize yourself with the different threat intelligence that can be obtained from
this page.
© 2023 Trend Micro Inc. Education 93
Lab 6: Using Dashboard Widgets for Investigating Threats
Exercise 7: Finding non-Windows Malware
One of Deep Discovery Inspector’s advantages is its ability to detect both Windows and Non-Windows
based malware.
In the following exercise, a different widget will be explored that quickly shows the different malware
types that are being detected by Deep Discovery Inspector in the monitored network.
1 In the Deep Discovery Inspector web console, go to Dashboard > Top Trends.
2 Add the widget Top Malicious Content Detected and change the view to Pie Chart. (If required,
you can refer back to the steps you previously completed for a similar activity.)
Note: If the widget information does not appear similar to the following, then most likely a widget
refresh has not yet occurred.
3 Look at this widget to determine which additional OS’s (aside from Windows), were affected by
malware detected by Deep Discovery Inspector.
___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
94 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing
Detection Rules
Earlier, we used various tests and methods to verify correct detection functionality in Deep Discovery
Inspector. In the activities in this lab, we will spend time working with and analyzing the Deep Discovery
Inspector detection logs including working with Affected Hosts information in order to find the specific
hosts in the network that have been affected (or potentially compromised) by a particular threat
detected by Deep Discovery Inspector. Students will also get hand-on practice setting up log exceptions
for safe events like internal security audits using port scanning, as well as preparing logs for internal
Security teams and deactivating non-required detection rules.
Estimated time to complete this lab: 60 minutes
LAB OBJECTIVES
• Lab Preparation — Generating Detections
• Identifying Affected Hosts
• Enabling Detection Rules
• Disabling Logs for Safe Events
• Marking Detections as Resolved
• Exporting Logs for your Security Team
• Deactivating Detection Rules
Exercise 1: Lab Preparation — Generating Detections
In this exercise, you will perform various steps to generate different types of malicious traffic that will be
detected and logged by Deep Discovery Inspector which you will use later to perform log analysis tasks.
1 Still connected to the VM-WIN2012 computer in the lab environment, open a web browser and
connect to the Detection Samples web page at http://detection.trend.local/
Alternately, select Detection Samples from the web browser’s Bookmarks bar.
2 In the Detection Samples web page, click each of the different sample links under each category
listed below. If prompted, save each sample file to the Desktop.
• Predictive Machine Learning
• Sypcar
• CVE
• Sample Submission
Note: Ignore any “malware” warnings by the browser. Since the file has reached the endpoint, Deep
Discovery Inspector has seen the traffic already.
© 2023 Trend Micro Inc. Education 95
Lab 7: Analyzing Logs and Managing Detection Rules
3 Use the TEST.BAT tab in the web browser Bookmarks bar OR copy the command from the
copy-n-paste.txt file on the Desktop and paste it into the web browser’s search bar:
http://detection.trend.local/web/detection/?file=../../../test.bat
When prompted to log in, click Cancel. The will produce the following server error that you can
ignore.
Note: The above test simulates a “directory traversal” detection in Deep Discovery Inspector because
the bat file does not exist. A directory traversal also called path traversal attack, is an HTTP
attack which tries to access files and directories that are stored beyond the web root folder. This
can allow attackers to access restricted directories and execute commands anywhere outside of
the web server's root directory.
4 After performing the above steps to generate new detection logs, connect to the Deep Discovery
Inspector web console and go to Detection > All Detections to examine the events.
5 Ensure that new detections are listed for the activities performed above similar to the following:
96 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
Exercise 2: Identifying Affected Hosts
In this exercise, students will find and work with the Affected Hosts information to gain insight and
detailed information on the specific hosts directly affected by particular detections made by Deep
Discovery Inspector.
This information can be helpful for prioritizing the hosts to investigate immediately at the first sign of a
detected threat to help stop the spread of further attacks faster.
1 In the Deep Discovery Inspector web console, go to Detections > Affected Hosts.
The Affected Hosts page will display a summary of all hosts with detected threats similar to the
following:
Best Practice: Use Affected Hosts to very easily determine the attacks with the highest Host Severity
score, and the specific host(s) affected by the threat.
2 Examine the Affected Hosts page. The detections for each host are assigned to one of the six
phases of a targeted attack as indicated above.
Note: In the case where a specific attack phase cannot be assigned to the detection, the attack will be
listed under the column Unknown Attack Phase.
3 For the dc2016 host, in which attack phase(s) did Deep Discovery Inspector detect the events?
(If the dc2016 host is not listed, most likely the refresh has not yet occurred and you can come
back to this question later.)
© 2023 Trend Micro Inc. Education 97
Lab 7: Analyzing Logs and Managing Detection Rules
4 For the host win2012, click on the hyper-linked number that appears under the Point of Entry
column.
5 This will open the Host Details screen displaying all Point of Entry attacks that were discovered
by Deep Discovery Inspector on host win2012 at this point in time.
Also note the Filter (Attack phase: Point of Entry) that is applied. This will show just the relevant
Point of Entry events for win2012. You also have the option to save this search query for future
use.
98 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
6 Click on the Details icon for threat Possible Directory Traversal Exploit Attempt to view the full
information about this threat:
7 Examine the details for this threat and try to determine the following:
• What is the Detection Severity?
• Which rule triggered this detection?
• Describe this particular threat?
• Which MITRE ATT&CK tactics and techniques were used?
© 2023 Trend Micro Inc. Education 99
Lab 7: Analyzing Logs and Managing Detection Rules
8 Next examine the Connection Summary section.
Note: The Connection Summary allows you quickly see exactly which hosts established the connection.
Of importance here is the “blue circle” which indicates the interested host for this particular
detection.
100 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
9 Next, view the Protocol information.
This provides additional information in regards to the protocol used in the detected
communication, such as the user agent, and URL for HTTP.
© 2023 Trend Micro Inc. Education 101
Lab 7: Analyzing Logs and Managing Detection Rules
10 Next, scroll down the details to view the Additional Information.
Additional Information, provides information such as the Threat Scanning engine or module that
detected the threat. You can also see whether this detection is being mitigated by a Mitigation
Server.
Note: If you do not use a Mitigation Server in your environment, you will see the description “To be
mitigated”.
102 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
11 Close the Detection Details page and return to Detections > Affected Hosts again. This time
examine the Host Severity column.
By default, the detections are sorted in descending order by Host Severity, where the hosts with
the highest combined severity level will be listed first. This helps you to more quickly prioritize
the hosts that need your immediate attention.
12 What is the Host Severity of win2012? Can you determine why? (Hint: Look at the Host Details
again for the Point of Entry. Was the threat internal or external?)
© 2023 Trend Micro Inc. Education 103
Lab 7: Analyzing Logs and Managing Detection Rules
13 Does this host severity shown indicate that win2012 is definitely compromised?
Hint: Click the ? icon next to Host Severity.
14 This links you to the Online Help for more information on Host Severity ratings.
104 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
15 On the Affected Hosts page, click the IP address 192.168.2.230 for the dc2016 host.
This will link to the Host Details page. Notice the output is showing all detections related to ALL
Attack Phases. Remember earlier in Step 5 on page 98 the hyper-link under Point of Entry was
selected instead, and this filtered the Host Details by Point of Entry detections.
This time, by selecting the IP address hyper-link, you can see the detections for ANY/ALL of the
attack phases. For example, here you can also see the detections made during Point of Entry,
Lateral Movement, etc.
© 2023 Trend Micro Inc. Education 105
Lab 7: Analyzing Logs and Managing Detection Rules
16 Return to the Affected Hosts list, and view the Details for the Lateral Movements detected on
the host dc2016.
17 Under Detection Information, click some of the available links provided for MITRE ATT&CK™
Tactics and Techniques and examine the type of threat information that can be obtained from the
MITRE ATT&CK™ web site about this attack.
106 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
18 For example, clicking the hyper-link TA008 for Lateral Movement provides the following
information about this attack. What was the particular technique detected by Deep Discovery
Inspector for the Lateral Movement detection in your environment?
Best Practice: A good starting point for your threat analysis is Affected Hosts because it allows you
to quickly find and prioritize the hosts in an affected network where deeper
investigations will need to occur. However, avoid basing any hard conclusions on the
Affected Hosts information alone, as this will not always provide a clear or full view on
whether a particular high severity threat is inter-linked, or part of the same chain of
attacks. Instead, the Affected Hosts information should always be used in conjunction
with other investigative and analysis work that is taking place to dig deeper and
understand the threats in order to stop and prevent them.
© 2023 Trend Micro Inc. Education 107
Lab 7: Analyzing Logs and Managing Detection Rules
19 Go to Detections > All Detections and view the Interested Host column. The value shown for
Interested Host represents the Affected Hosts information. If this column is not displayed in your
interface, select Customize Columns and add the column Interested Host.
This provides an alternate way to access some of the same information that we worked with
already in the previous activities. For example, here you can see again the individual Point of
Entry and Lateral Movement detections that were explored already through the Affected Hosts
page in the previous activities.
108 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
Exercise 3: Enabling Detection Rules
In the steps below, you will enable detection rule 2682 and use the nmap utility to generate detections
that will be detected by this rule. The detections will then be verified, you will use the Trend Micro Threat
Encyclopedia to learn more about rule 2682.
1 In the Deep Discovery Inspector web console go to Administration > Monitoring / Scanning >
Detection Rules.
2 Search for detection rule 2682 NMAP - HTTP (Request)using CTRL-F to search faster.
3 Next enable this rule by clicking the null symbol located in front of the rule number. This should
change the null symbol into a green check mark symbol. Rule 2682 is now enabled.
© 2023 Trend Micro Inc. Education 109
Lab 7: Analyzing Logs and Managing Detection Rules
4 Next scroll back to the top of the page click Save Changes to continue.
5 Once the changes have been saved, switch to the VM-KALI Linux computer in the lab
environment. Hit Enter and type in the root password of trendmicro.
6 In the Kali desktop select Applications > Terminal to open a Linux terminal window.
110 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
7 In the Kali terminal, execute the following nmap command:
nmap --script http-enum 192.168.2.230
Note: The above command $nmap --script http-enum <host> is a tool used for pen-testing but
is of course also used by hackers as well to enumerate common web applications, to enumerate
common directories of web applications, and many other interesting files. http-enum detects a
lot of popular web applications that are known to be vulnerable.
For more information on the nmap utility and other nmap commands that can be used for
pen-testing, you can refer to the following resources:
• http://nmap.org
• http://nmap.org/nsedoc/
• https://secwiki.org/w/Nmap/Script_Ideas
• https://secwiki.org/w/Nmap/Script_Vault
8 Once the nmap command has been executed, switch back to the VM-WIN2012 console.
9 In the Deep Discovery Inspector web console, go to Detections > All Detections.
10 View the entries for the above nmap scans. The following detections should be displayed:
11 The next step will need to performed using the Chrome web browser. If you are not already using
Chrome, you must start a new connection to the Deep Discovery Inspector using the Chrome web
browser.
© 2023 Trend Micro Inc. Education 111
Lab 7: Analyzing Logs and Managing Detection Rules
12 Next, go to Detections > All Detections and click the Details icon for one of the NMAP detections.
Note the rule that was matched this detection. The rule is 2682 NMAP - HTTP (Request),
which is the rule that you enabled earlier.
13 Click on the rule ID 2682. This connects to the Trend Micro Threat Encyclopedia where
information can be obtained for this particular rule.
14 Examine the information that is provided in the threat encyclopedia for DDI Rule 2682.
• Expand the Overview section and review the summary.
• Go through the Technical Details.
• Under Solution take a look at any recommended immediate actions that are suggested for
this particular detection type. There are even secondary actions given.
112 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
Exercise 4: Disabling Logs for Safe Events
Lab Preparation
1 Before proceeding to the next activity, switch back to the VM-KALI computer in the lab
environment and deploy the following nmap command to generate TCP port scan detection in
preparation for the next set of lab activities.
# nmap -v -sT 192.168.2.0/24 (This is a TCP port scan.)
2 Switch back to VM-WIN2012 in the lab environment, and in the Deep Discovery Inspector web
console, go to Detections > All Detections to ensure that you are seeing detections for the above
step.
Note: If you are not seeing any detections, notify your trainer before proceeding to the next lab
activity.
The events will appear as ports scan detections similar to the following.
© 2023 Trend Micro Inc. Education 113
Lab 7: Analyzing Logs and Managing Detection Rules
Use Case: Remove Logging for Internal Port Scanner Detections
The security team at ABC Corp. frequently uses internal port scans for routine security audits
including monitoring hosts and service up times. Traffic from these regular port scans is being
detected by Deep Discovery Inspector and after some initial checking and investigating by the Deep
Discovery Inspector team, it has been determined that the port scanner events can safely be
excluded from all Deep Discovery Inspector detection logs going forward. In other words, the team
would like for Deep Discovery Inspector to stop monitoring (or ignore) traffic generated from these
routine internal port scans.
The steps below will guide you through the required configuration for the above use case.
1 Still in the Deep Discovery Inspector web console, go to Detections > All Detections.
2 Click the Advanced link to perform an advanced search.
3 From the Filter drop-down, find Detection Information, and select Threat/Detection/Reference.
4 Set this filter to contain the text “scan“.
5 With the filter set, click Search.
114 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
This should display all the nmap detections for all the port scans executed in the previous activity
similar to the illustration below.
6 Next, click the Details icon for one of the port scan detections that are listed.
7 Under the Detection Information, find the Detection rule ID that was matched and record it here:
______________
8 Close the Detection Details page, and in the web console, go to Administration > Monitoring /
Scanning.
© 2023 Trend Micro Inc. Education 115
Lab 7: Analyzing Logs and Managing Detection Rules
9 Select Detection Exceptions from the left-hand navigation.
10 Click + Add ,and in the Add Exception screen, configure the following settings to create an
exception for rule 4226 that was recorded above.
Status Enabled
Description Internal security audits
Exception Criteria Detection Rule ID in 4226
116 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
11 Next, click + to add another exception criteria using the following configuration settings:
Status Enabled
Description Internal security audits
Exception Criteria Source IP Address In 192.168.2.232
12 Click Add to continue once the settings have been configured.
13 This will display the new Detection Exceptions configured above. Click Save.
Note: From this point forward, any traffic matching detection rule 4226 and source IP
192.168.2.232 will no longer be logged to the Detections logs.
© 2023 Trend Micro Inc. Education 117
Lab 7: Analyzing Logs and Managing Detection Rules
14 To verify the exception rule created above, switch to the VM-KALI computer in the lab
environment repeat the earlier port scan activity by running the following nmap port scan
command.
# nmap -v -sT 192.168.2.0/24 (This is a TCP port scan.)
15 Once the above port scan is complete, switch back to the VM-WIN2012 console.
16 In the Deep Discovery Inspector web console, check Detections > All Detections again.
17 Are detections being logged for this event now?
They should NOT be logged as detections at this point. Check the time stamps on the detections
to be sure.
18 Proceed to the next exercise, where we will manually mark the older port scanning detections as
Resolved now that are our detection exceptions are in place and working correctly.
118 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
Exercise 5: Marking Detections as Resolved
In the previous exercise, a rule exception was added to stop logging port scan detections for safe traffic
caused by the organization’s routine internal security audits.
In this activity, you will mark all previous scan detections (logged prior to the configured exception rule)
as Resolved.
Best Practice: This action helps a security administrator or officer to easily identify detections that
have already been analyzed and taken care of.
1 In the Detections > All Detections page, repeat the advanced search that was performed in a
previous activity to find all port scan detections.
2 The advanced filter should appear as follows:
• Filter: Threat/Detection/Reference > Contains > scan
Click Search.
© 2023 Trend Micro Inc. Education 119
Lab 7: Analyzing Logs and Managing Detection Rules
3 Next, click on Mark Displayed as Resolved, and when prompted, select Mark Detections as
Resolved.
4 This will replace the flag icon under Status to a green check mark indicating that the detection is
now Resolved. Alternately, you can click on the flag under Status, and this will also mark a
detection as resolved.
120 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
Exercise 6: Exporting Logs for your Security Team
Use Case: Export Logs for Unresolved Threats
The Security team at ABC Corp. is requesting a copy of the detection logs in CSV format, including
ONLY “unresolved” detections by Deep Discovery Inspector. For example, the report should NOT
include detections marked as RESOLVED by the Deep Discovery Inspector administrator.
Perform the steps below to export the required logs:
1 In the Detections > All Detections page, remove the filter created in the previous exercise.
2 Create a new Advanced search filter to show all detections with a Status that Equals
“unresolved”. The configured filter should look like that following:
Filter: Status/Equals/Unresolved
3 After configuring the above search filter, click Search. This should display results similar to the
following:
© 2023 Trend Micro Inc. Education 121
Lab 7: Analyzing Logs and Managing Detection Rules
4 Next, in the top-left of the display, click Export.
5 Click Save, to save the file all_detection.zip to the Desktop.
6 Open the all_detection.zip archive using 7-Zip, then extract the contents to your Desktop
using the default all_detection folder.
7 In the all_detection folder, open the file threats.csv using Notepad ++.
122 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
8 The XML file will only contain detection logs for the above Detections search query. Therefore,
there will not be any port scans in this CSV export.
9 (Optional: Analyzing Detection Information) To help gain a better understanding of the
information that is provided in the detection logs, try cross-referencing the fields in
threats.csv with output provided in Detections > All Detections output or Dashboard widgets.
10 (Optional: Finding Detections with Virtual Analyzer Results) Create an advanced filter to find all
Deep Discover Inspector detections that contain a Virtual Analyzer report.
© 2023 Trend Micro Inc. Education 123
Lab 7: Analyzing Logs and Managing Detection Rules
Exercise 7: Deactivating Detection Rules
USE CASE: Deactivating SQL Detections from Deep Discovery
Inspector Logs
The Security Team at your organization has been using Deep Discovery Inspector for months to
inspect ALL traffic and investigate every single detection that was made (for example, the Security
team has enabled ALL of the available Detection Rules in Deep Discovery Inspector during this
period as part of their Testing Program).
After completing a thorough analysis of the system and detection logs, the team concluded that
going forward, since there are no MySQL servers being used on their internal network, any rules
associated with this service can be safely deactivated.
Your job is to configure the above case scenario. The following steps can be used to check your work.
Note: This activity is solely being used for training purposes, nevertheless, in an actual deployment, it
is strongly recommended to disable ANY detection rules that are NOT required or relevant for
your network in order to preserve Deep Discovery Inspector computing resources.
As the fictitious network environment for our use case is not using any MySQL servers, rules
associated with this service can be deactivated.
1 Go to Administration > Monitoring / Scanning > Detections Rules.
2 Press the keys CTRL-F simultaneously, and in the search box that appears, enter mysql.
124 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
3 You will need to hit the ENTER key to scroll down and view additional search results. In total there
should be 8 MySQL rules as follows:
• 559, 560, 561, 562, 564, 2220, 2239, 2240
© 2023 Trend Micro Inc. Education 125
Lab 7: Analyzing Logs and Managing Detection Rules
4 To obtain more information about one of these MySQL rules, click the rule number hyper-link
such as 559. This will connect to the Trend Micro Threat Encyclopedia page where you can view
the detection rule details such as severity, protocol, confidence level and so on.
5 Close the Trend Micro Threat Encyclopedia web page.
6 Back in the Detection Rules page, click on the check mark that appears in front of rule 559. The
icon should be replaced with a red null symbol to indicate that rule 559 is now set to disabled:
126 © 2023 Trend Micro Inc. Education
Lab 7: Analyzing Logs and Managing Detection Rules
7 Repeat the above step to disable the remaining 7 MySQL rules in your search results.
© 2023 Trend Micro Inc. Education 127
Lab 7: Analyzing Logs and Managing Detection Rules
8 With all 8 MySQL rules now disabled, scroll to the top of the Detection Rules page, and click Save
Changes.
From this point on, Deep Discovery Inspector will no longer be able to detect MySQL events
matching these disabled rules.
Best Practice: Disabling detection rules like the following, might be especially useful when first
deploying Deep Discovery Inspector, as your security team identifies all traffic and
events deemed “normal” or “safe” in your organization’s network.
128 © 2023 Trend Micro Inc. Education
Lab 8: Reporting
In the following lab activities, you will perform various activities using the report functionalities in Deep
Discovery Inspector.
Estimated time to complete this lab: 15 minutes
LAB OBJECTIVES
• Generating On-demand Reports
• Creating a Scheduled Report
• Obtaining IOCs from Virtual Analyzer Report Investigation Packages
Exercise 1: Generating On-demand Reports
1 In the Deep Discovery Inspector web console go to Reports and select the On-demand Reports
tab.
© 2023 Trend Micro Inc. Education 129
Lab 8: Reporting
2 Click Add and select Threat Detection Report as the Type. Here you can also specify the number
of top threats to be included in the report. Accept the default value of 10 top detections.
3 For the Scope, accept the default of All monitored hosts.
4 Scroll through the Table of Contents to see the types of data that will be included in this report.
5 Next click Generate to create the report.
Once the report has been generated, it will appear in the list as follows.
6 Click the PDF icon from the Download column to download the report PDF file.
7 Accept default file name for the report ThreatDetectionReport_TOP10_... and save it to
the Desktop.
130 © 2023 Trend Micro Inc. Education
Lab 8: Reporting
8 Double-click the Threat Detection Report file to open it. By default, the report will open in your
web browser as follows. Take some time to go through the report to see what is included.
9 Navigate through the various sections of the report and review the following:
• What was the TOP attack source and for which threat type?
______________________________________________________________________________
• Is the above threat a true threat? If not, how can we prevent this type of detection from
being logged and appearing in our reports going forward?
______________________________________________________________________________
• Were there any files downloaded by malware? If so from which location (IP address or
domain) were the files downloaded?
______________________________________________________________________________
• Which day exhibited the highest threats for the reporting period?
______________________________________________________________________________
• How many samples were submitted to the Virtual Analyzer in this reporting period? How
many of the samples/files turned out to be High risk?
______________________________________________________________________________
© 2023 Trend Micro Inc. Education 131
Lab 8: Reporting
Exercise 2: Creating a Scheduled Report
In this exercise, you will perform the required steps for generating a scheduled report for Top Affected
Hosts to occur on a daily basis.
1 In the Deep Discovery Inspector web console go to Reports and click Schedules. This will display
all the scheduled reports that are currently configured in Deep Discovery Inspector. The
scheduled Daily and Weekly reports shown here are configured by default.
2 Click Add and create a new scheduled report using the following settings:
Name: Host Severity
Schedule: Daily
Host Severity Report
Type: Show top: 10
Scope: All monitored hosts
Notification: off
132 © 2023 Trend Micro Inc. Education
Lab 8: Reporting
3 Click Save. The scheduled Host Severity report should appear as follows.
4 After scheduled reports are generated, they will appear as icons in the calendar under Schedule
Reports.
5 (Optional) Create an on-demand Report for Host Severity and view the information that is
provided.
© 2023 Trend Micro Inc. Education 133
Lab 8: Reporting
Exercise 3: Obtaining IOCs from Virtual Analyzer
Report Investigation Packages
In this exercise, students will use the Virtual Analyzer Report for the threat EXPL_CVE20120158 to
obtain the generated OpenIOC (Indicators of Compromise) for this threat.
1 In the Deep Discovery Inspector web console, go Detections > All Detections and perform an
Advanced search to find all detections that have a Virtual Analyzer Result.
2 Select the Details icon for the EXPL_CVE20120158 threat. If you do not see this threat listed in
your view, select any other threat, and view the details.
134 © 2023 Trend Micro Inc. Education
Lab 8: Reporting
3 Under Detection Information, click the hyper-link (Refer to File Analysis Report) to jump to this
section of the detection details.
4 Under File Analysis Result, select the Download drop-down, then click Investigation Package.
5 Take note of the password for the archive file and click OK to download it.
6 When prompted save the investigation package ZIP file to the Desktop.
© 2023 Trend Micro Inc. Education 135
Lab 8: Reporting
7 Open the Investigation Package ZIP with 7-Zip.
8 Extract the files to the Desktop using the default folder name, and click OK.
9 When prompted, enter the password virus to extract the files.
10 Navigate to the Investigation Package folder and use Notepad++ to open the file with the
ioc.stix extension. (The file name of your IOC file may not be the same as the one shown
below which is fine.)
11 The ioc.stix file contents will appear similar to the following:
IOCs and other files in this Investigation Report generated by Virtual Analyzer (DDAN) File
Analysis report, can be shared with your Security Analysts for further investigation. In the case
where the malware file is deemed to be a true threat, the included SOs can be shared with your
own security devices, and IOCs can be used to perform threat intelligence sweeps in your
organization.
136 © 2023 Trend Micro Inc. Education
Lab 9: Configuring Deep Discovery
Email Inspector and Verifying the Install
In this lab, students will complete the configuration of a Deep Discovery Email Inspector that has already
been deployed in the virtual lab environment, and then perform some activities to verify correct
functionality.
Estimated time to complete this lab: 20 minutes
LAB OBJECTIVES
• Activating and Setting the System Time
• Setup Virtual Analyzer Settings to use Deep Discovery Analyzer
• Configuring Mail Settings
• Testing Virus Detection in Deep Discovery Email Inspector
• Verifying if Events Have Been Detected
• Test Component Updates (Engines/Patterns)
Exercise 1: Activating and Setting the System Time
1 From a web browser on VM-WIN2012, connect to the Deep Discovery Email Inspector web console
using the following URL: https://192.168.2.130. Alternately, you can use the DDEI shortcut
in Google Chrome. Log in with the credentials: admin/Trendmicro0!.
2 Next, go to Administration > Licenses and verify that the Deep Discovery Email Inspector has a
valid activation code and is correctly activated.
Note: Before proceeding to the next step, ensure that both Deep Discovery Email Inspector modules
appear as Activated. Notify your Instructor if this is not the case.
© 2023Trend Micro Inc. Education 137
3 Go to Administration > System Settings > Time and configure the correct settings for your
location.
4 Time setting changes will trigger a system restart. To continue, select Save and Restart.
138 © 2023 Trend Micro Inc. Education
Exercise 2: Setup Virtual Analyzer Settings to use
Deep Discovery Analyzer
In the following steps you will configure access to the Deep Discovery Analyzer external sandbox.
1 Still in the DDEI web console, go to Administration > Scanning / Analysis > External Integration
and configure the following:
• For Source select the value External
• Set Server address and API Key (obtain from Help menu in Deep Discovery Analyzer web
console)
2 Click Test Connection then click Save. The registration status should now appear as Registered.
© 2023 Trend Micro Inc. Education 139
3 Next, select Virtual Analyzer > Settings from the Scanning / Analysis menu and configure which
file types that the Virtual Analyzer will analyze as follows:
Move all file types that appear in the first list over to the Always Analyze list.
Note: For actual deployments, follow your specific security policy and regulations.
4 Click Save.
140 © 2023 Trend Micro Inc. Education
Exercise 3: Configuring Mail Settings
The steps below will guide you through the process for configuring the mail settings for Deep Discovery
Email Inspector operating in MTA mode.
1 Still in the DDEI web console, go to Administration > System Settings > Operation Mode and select
MTA mode for the operation mode.
2 Next, go to Administration > Mail Settings > Connections and verify the following configuration.
This configuration enables DDEI to accept mail traffic:
• SMTP Interface: set Port to 25
• Connection Control: Enable the option Accept all, except the following list
3 Scroll down and click Save to continue.
© 2023 Trend Micro Inc. Education 141
4 Still in the Mail Settings configuration, select the Message Delivery tab then click Add and
configure the following settings:
• Status: Enabled
• Recipient: *
• Destination server: Specify servers
- IP Address: 192.168.2.232 (SMTP Server on VM-KALI)
- Port: 25
- Priority:10
5 Click Save. Once you have saved your settings, the entry for the next mail hop domain you are
configuring appears as follows:
6 Next, from the Limits and Exceptions, set Permitted Senders of Relayed Mail to Hosts in the same
subnet as follows.
7 Click Save.
142 © 2023 Trend Micro Inc. Education
Note: As noted in the Message Limits section, you can remove the Maximum message size and
Maximum number of recipients limits by setting these values to “0”. Defaults for these values are
10 and 1000 respectively.
8 (Optional) Next, you can select the SMTP Greeting tab and either accept the default SMTP
greeting message or configure your own.
9 (Optional) Go to Policies > Exceptions to add any exceptions for Messages, Objects (files), URL or
Domain and Graymail.
© 2023 Trend Micro Inc. Education 143
For example you can set the following object exceptions:
Note: The above configuration can be used to avoid false positives for unresolvable internal domains or
URLs.
144 © 2023 Trend Micro Inc. Education
Exercise 4: Disabling Smart Feedback in DDEI
Before completing the next lab activity, the Smart Feedback function in DDEI will need to be disabled.
The steps are provided below.
Note: This configuration is only a requirement for the purposes of our virtual lab environment in order
for the lab exercises to work correctly.
1 Still connected to the Deep Discovery Email Inspector web console, go to Administration >
Scanning / Analysis > Smart Feedback.
2 Under Smart Feedback, remove the check mark in the box for Enable Smart Feedback
(recommended) to disable it as follows:
3 Click Save to continue.
© 2023 Trend Micro Inc. Education 145
Exercise 5: Testing Virus Detection in Deep Discovery
Email Inspector
In this exercise, students will use Mozilla Thunderbird to send test emails within the virtual lab
environment to verify the correct functionality of Deep Discovery Email Inspector configured in MTA
mode. In addition, activities will be performed to examine the behavior of Deep Discovery Email Inspector
when sending both valid and malicious test emails to a mail recipient.
1 Open Mozilla Thunderbird located on VM-WIN2012. You will notice that 2 test user accounts have
already been configured for your use in this lab activity, [email protected] and
[email protected].
2 Send a test message from: [email protected] to: [email protected].
3 Click Send then verify that the test message correctly appears in user2’s Inbox. Closely
examine the message body and notice that Deep Discovery Email Inspector analyzed the email.
4 Later in this exercise, we will check the Deep Discovery Inspector detection logs to view the
details for this test message.
5 To change the message tag end stamp seen above for all emails processed by DDEI, go to Policies
> Policy Objects > Stamps and enter a new string for End stamp. Don’t forget to disable the
Default stamp as follows if you are adding your own end stamp.
146 © 2023 Trend Micro Inc. Education
6 Repeat the above steps to send another test message from: [email protected] to:
[email protected] only this time attach the eicar.com file that is located in: C:\Lab
Files\distri\eicar.
7 (Optional Step) You can optionally compress the eicar.com test file with a password, then attach
the compressed file, and include the password as part of the message body.
8 Click Send to send user2 this message with the eicar.zip compressed and password
attachment.
9 Before proceeding to next exercise, examine the Sent folder for user1. There should be 2
messages (or 3 messages if the optional step was performed above).
Inform your instructor if you do not see at least the first 2 test emails that were sent.
© 2023 Trend Micro Inc. Education 147
Exercise 6: Verifying if Events Have Been Detected
In this exercise, you will verify the detected message logs to query the traffic record for the above tests.
1 In the Deep Discovery Email Inspector web console, go to Logs > Message Tracking to examine
the traffic record for the test mail messages sent in the previous exercise.
2 Next, go to Detection > Detected Messages to check the detections.
3 Expand the detection to view additional information about this event.
148 © 2023 Trend Micro Inc. Education
4 Go to Logs > Message Tracking again, and under the Latest status column for this event, click
Quarantined. Examine the available Quarantine options.
5 (Optional) Earlier when a test email was sent from user1 to user2 with the eicar.com
attachment, DDEI quarantined the message (as expected), however user2 did not receive a
quarantine notification or explanation. The email was simply quarantined.
Challenge: Can you find a setting in DDEI that allows you to configure recipient notifications
when an email has been quarantined by DDEI? Hint: Go to Policies > Policy Management
Exercise 7: Test Component Updates (Engines/
Patterns)
1 In the Deep Discovery Email Inspector web console, go to Administration > Component Updates.
If the components are out-of-date, click Update.
When there is no Internet connection available, a message will display indicating “No available
Internet connection”. In this case, you should can perform the following checks:
• Verify if Deep Discovery Inspector has been configured to be allowed to go through the
firewall
• Check if you need to use Proxy settings for Internet access
© 2023 Trend Micro Inc. Education 149
150 © 2023 Trend Micro Inc. Education
Lab 10: Configuring Deep Discovery
Email Inspector Policies
In this lab, students will go through the process of verifying the Deep Discovery Email Inspector (DDEI)
installation (MTA mode) that was performed in the previous lab.
Estimated time to complete this lab: 20 minutes
LAB OBJECTIVES
• Creating a Policy Object For Content Filtering
• Creating a new Policy for Content Filtering
• Testing the Content Filter Policy
• Viewing the Content Filter Policy Violation
• Viewing the Quarantine
Exercise 1: Creating a Policy Object For Content
Filtering
In the following steps, a policy object for a Keyword Lists will be created in preparation for a new content
filtering rule that will be created later to block and quarantine all messages containing the keyword
“free” inside an email message body.
1 From the Deep Discovery Email Inspector web console, go to Policies < Policy Objects > Data
Identifiers and select Keyword Lists.
2 Select Add to create a new entry and type a name (maximum of 256 characters and cannot
contain a vertical bar (|)).
3 Choose Any keyword as the criteria.
© 2023Trend Micro Inc. Education 151
4 Type the keyword free (keywords can contain 3 bytes to 40 characters) and ensure it is not
case-sensitive.
5 Click Save to continue. The newly created keyword list should now appear as follows:
152 © 2023 Trend Micro Inc. Education
Exercise 2: Configuring Content Filtering
In this activity, a new content filtering rule will be created to block and quarantine messages containing
the keyword “free” inside of an email message in the body.
1 Go to Policies > Policy Management then select Content Filtering Rules.
2 Click Add and specify a name for the new rule.
3 Next, scroll down to Content and click Add.
4 Set the Message section to Body then select the keyword list that was created in the previous lab
activity.
5 Click Save.
6 Next scroll down to the Actions section, and set the Action to Block and quarantine.
© 2023 Trend Micro Inc. Education 153
7 Configure the policy to Send a Notification and select Notification template for content violation.
8 Click Save to save all the changes to the new content filtering rule. The new rule will appear as
follows with the action of Block and quarantine:
Exercise 3: Creating a new Policy for Content Filtering
In this exercise, you will create a new policy for content filtering that uses the Content Filtering Rule
created in the above activity.
1 Still in the Deep Discovery Email Inspector web console, go to Policies > Policy Management and
click Add.
2 Enable the policy and enter a policy name.
3 Provide an optional description and leave the remaining settings at their defaults.
154 © 2023 Trend Micro Inc. Education
4 Next, go to Content Filtering and select the content filtering rule you created earlier. Select Add
to create a new entry and type a name for the rule. Click Add and then click Save. The rule
should appear in the list with the name you specified.
5 Next, go to Threat Protection and select the rule Quarantine (high-medium-risk) and tag (low-
risk). Click Add.
6 Click Save to save the new policy. Ensure the new content filtering policy is enabled.
7 Also verify that the rules for this policy correctly shows the Keyword list for the Content
Filtering rule, and Quarantine (high/medium-risk) and tag... for the Threat Protection rule.
Once the above policy has been configured, any messages detected with the word “free” in the
message body, should now be blocked and quarantined by the Deep Discovery Email Inspector.
© 2023 Trend Micro Inc. Education 155
Exercise 4: Testing the Content Filter Policy
In this exercise students will test the content filter policy created above by sending an email with the
keyword “free” included in the email message body.
1 Using Thunderbird, compose and a new email message from user1 to user2 and in the message
body enter the keyword “free”. Send the message.
2 Next, check user2’s inbox. The message sent above should NOT appear in user2’s inbox
because the Action configured for the content filtering rule was set to Block and quarantine.The
notification displays as per the settings configured earlier.
Exercise 5: Viewing the Content Filter Policy Violation
In the next exercise, we will view the Deep Discovery Email Inspector Detected Messages for the content
filtering test message sent in the previous exercise.
1 Go to Detections > Detected Messages and view the details for the content filter violation. Note
the policy and rule that was used for this detection.
2 Try the different options like View Screenshot.
156 © 2023 Trend Micro Inc. Education
Exercise 6: Viewing the Quarantine
In this exercise, you will view the message that was quarantined by Deep Discovery Email Inspector
because of the content filtering violation.
1 Go to Detections > Quarantine and view the details of the quarantined message.
2 Try out the different actions that can be taken on the quarantined message. An administrator can
Delete this message or Release it to the recipient of the email.
3 Release the message. A notification appears to indicate that the message will not be reprocessed
before being sent to the recipient. Click OK to confirm the release of the email.
4 Verify that user2 has successfully received the message that was released from quarantine.
5 Above, we have seen the behavior of the content filtering when the rule action was set to Block
and quarantine. This time configure the content filtering rule action to Delete Message. You can
refer to the previous activities if you require help.
6 Once you have configured the rule as specified above, compose and send a test message from
user1 to user2 with the keyword “free” in the body of the message.
7 Check the inbox for User2. This time, there should be a notification message received from Deep
Discovery Email Inspector.
8 Check for this detected message and also check the quarantine. Was this detection quarantined?
This time is should NOT be in the quarantine.
© 2023 Trend Micro Inc. Education 157
158 © 2023 Trend Micro Inc. Education
Lab 11: Managing Devices through Deep
Discovery Director
In this lab, students will configure settings for Deep Discovery Director, in order to manage a Deep
Discovery environment, deploy Firmware Updates to connected Deep Discovery products and configure
device replication.
To avoid any possible time constraints, the following lab preparation steps have already been completed
for you:
• Deep Discovery Director installed and network settings configured
• Deep Discovery Inspector and Deep Discovery Analyzer product firmware updates already
downloaded
• Sandbox image prepared (Windows 7 client sandbox image already prepared) and saved to Deep
Discovery Director folder
Estimated time to complete this lab: 20 minutes
LAB OBJECTIVES
• Registering with Deep Discovery Director
• Populating the Deep Discovery Director Repository
• Creating a Hotfix / Critical Patch Deployment Plan
Exercise 1: Registering with Deep Discovery Director
1 In the lab environment switch to VM-WIN2012 if you are not already connected.
2 Open a web browser and connect to the Deep Discovery Director web console using the following
URL: https://192.168.2.121.
3 Log in to the Deep Discovery Director web console using the credentials admin / Trendmicro0!
The Deep Discovery Director Dashboard will be displayed as follows:
© 2023 Trend Micro Inc. Education 159
Lab 11: Managing Devices through Deep Discovery Director
4 Next, go to Appliances > Directory. You can observe from this page that there are currently no
Deep Discovery appliances that have been added to Deep Discovery Director, or that are being
managed as of yet.
In the steps that follow, you will be adding Deep Discovery Inspector to Deep Discovery Director
so that it can be centrally managed.
5 To register Deep Discovery Inspector with Deep Discovery Director, you will first need to obtain
the Deep Discovery Director’s API key as follows. Still in the Deep Discovery Director web
console, go to Help.
6 Copy the API key from the Help screen:
7 Next, open a new tab in the web browser and connect to the Deep Discovery Inspector web
console. (admin/Trendmicro0!)
8 Go to Administration > Integrated Products/Services.
160 © 2023 Trend Micro Inc. Education
Lab 11: Managing Devices through Deep Discovery Director
9 Select Deep Discovery Director from the menu on the left navigation pane:
10 Enter the IP address 192.168.2.121 as the Server address and paste in the API key that was
obtained above for the Deep Discovery Director. Click Register to complete the registration
process. This might take a moment to finish.
© 2023 Trend Micro Inc. Education 161
Lab 11: Managing Devices through Deep Discovery Director
11 Once successfully registered, the web console Management Server tab settings will reflect the
following.
The Deep Discovery Inspector has now been successfully registered with Deep Discovery
Director.
12 Switch back to the web browser tab for the Deep Discovery Director web console and go to
Appliances > Directory.
13 Click the Unmanaged folder from the menu on the left navigation pane. The newly registered
Deep Discovery Inspector named localhost should be listed as an unmanaged device as follows.
You must now move the Deep Discovery Inspector to the Managed folder so that it can be
managed by Deep Discovery Director.
14 Hover over the localhost entry that appears under the Unmanaged folder, then click the 3
vertical dots to reveal additional menu items:
162 © 2023 Trend Micro Inc. Education
Lab 11: Managing Devices through Deep Discovery Director
15 Next, click Move then select Managed from the pop-up. Click Move to complete this action.
The Deep Discovery Inspector (currently named localhost) should now be located under the
Managed folder as follows
Setting up a Display Name for DDI
The DDI deployed in your student lab environment, was inadvertently deployed and
configured without a host name hence, this is why we see the display name of localhost.
Display Name reflects the hostname value specified in the Deep Discovery Inspector
Administration > Network Settings. When the hostname is blank on the DDI, the name
defaults to localhost.
There are 2 ways this can be resolved at this point:
- Option 1: Configure a hostname on the DDI itself
- Option 2: Rename the localhost DDI in the DDD web console so it can more easily be
identified by the DDD administrator.
To get more practice using the Deep Discovery Director web console, we will use Option 2.
© 2023 Trend Micro Inc. Education 163
Lab 11: Managing Devices through Deep Discovery Director
16 From the menu on left hover over the name localhost under the Managed folder and select the 3
vertical dots to reveal more menu options.
17 Click Edit then enter DDI for the name of the Deep Discovery Inspector.
18 Click Save.
The Deep Discovery Inspector device now appears listed under the Managed folder with the
name DDI as follows:
Note: Separate folders can be created under Managed in order to organize your managed devices in a
more structured way. This is very useful for larger deployments in cases where there might be
hundreds of devices to manage, and you must scroll through very long lists of devices, or
perform multiple searches to find a particular device or list of devices you need to manage. If you
organize your devices in a folder structure that make sense for your organization, (for example
devices by Region, or Business Unit, or Network Profile etc.) this will greatly simplify your Deep
Discovery management efforts in DDD.
164 © 2023 Trend Micro Inc. Education
Lab 11: Managing Devices through Deep Discovery Director
In our simplified lab environment, we will only be managing a few Deep Discovery devices and
therefore, setting up an entire folder structure in this case would be excessive.
19 Repeat all of the above steps to add the Deep Discovery Analyzer in your virtual lab network
environment as a managed product in Deep Discovery Director. Use the following settings:
Device IP address Device Name in DDD
Deep Discovery Analyzer 192.168.2.120 DDAN
20 Before proceeding to the next exercise, verify that the Deep Discovery Inspector and the Deep
Discovery Analyzer are now listed as managed devices in the Deep Discovery Director as follows:
Note: For environments with Apex Central, it is very important to note that once Deep Discovery
Analyzer is registered with a Deep Discovery Director, the Deep Discovery Analyzer Suspicious
Objects will be synchronized with Deep Discovery Director instead of with Apex Central.
A notification will also be displayed in the top banner as follo “Synchronization of
Suspicious Objects set to Deep Discovery Director instead of Apex
Central”.
© 2023 Trend Micro Inc. Education 165
Lab 11: Managing Devices through Deep Discovery Director
Exercise 2: Populating the Deep Discovery Director
Repository
Before you can create your device specific deployment plans for DDD managed devices, you will need to
first populate the Deep Discovery Director Repository with any product hotfixes, critical patches,
firmware or Virtual Analyzer images, that you will be need to deploy to your managed devices.
In this exercise, we will add a Deep Discovery Analyzer critical patch (that has already been downloaded
to the Windows Desktop VM for your convenience) to the Deep Discovery Director Repository in
preparation for a deployment to the DDD-managed DDAN in an upcoming lab activity.
1 In the Deep Discovery Director web console, go to Appliances > Repository and click Upload.
2 Click Select and navigate to the DDAN patch that is located in E:/Patches. The upgrade file is
called: ddan_72_lx_en_criticalpatch_b1210.7z.zip.tar.
Provide an optional description then click Upload.
166 © 2023 Trend Micro Inc. Education
Lab 11: Managing Devices through Deep Discovery Director
The upload process will take a few moments to complete.
Once uploaded, the hotfix will appear in the Repository list as follows:
© 2023 Trend Micro Inc. Education 167
Lab 11: Managing Devices through Deep Discovery Director
Exercise 3: Creating a Hotfix / Critical Patch
Deployment Plan
Deployment plans in Deep Discovery Director can be utilized for deploying hotfixes, patches, firmware,
sandbox images, as well as replicating the configuration from devices allowing you to duplicate settings
from one appliance to another.
In this activity, you will create a deployment plan, to deploy a hotfix / critical patch to the DDD-managed
Deep Discovery Analyzer device.
1 In the Deep Discovery Director web console go to Appliances > Plans and click + Add to add a new
deployment plan.
2 Enter the following details for the new plan:
Name: ddan_72_lx_en_criticalpatch_b1210.7z.zip.tar
Type: Hotfix / Critical patch / Firmware
Description: Critical patch for DDAN Version 7.2
168 © 2023 Trend Micro Inc. Education
Lab 11: Managing Devices through Deep Discovery Director
3 Scroll down, and expand the Hotfix /Critical Patch /Firmware section. Enable the DDAN hotfix
that is listed:
4 Scroll down to the Targets section (expand if needed) and enable the checkbox to select the Deep
Discovery Analyzer device as follows:
© 2023 Trend Micro Inc. Education 169
Lab 11: Managing Devices through Deep Discovery Director
5 Scroll down and expand Schedule. To execute the deployment plan immediately, set the schedule
to immediate. Note that in an actual deployment, patch updates would realistically be planned for
and scheduled during off-peak network traffic hours.
6 Click Save to continue.
7 The configured deployment plan will appear in the list as follows:
8 Go to Appliances > Directory, and from the Managed folder, select your Deep Discovery Analyzer
device.
9 Under Plan, view the deployment details for the deployment of the hotfix and note the
deployment details.
170 © 2023 Trend Micro Inc. Education
You might also like
- Trend Micro Vision One XDR Training For Certified Professionals - Lab Guide - v2No ratings yetTrend Micro Vision One XDR Training For Certified Professionals - Lab Guide - v290 pages
- Trend Vision One XDR Advanced - Lab Guide - V1 3No ratings yetTrend Vision One XDR Advanced - Lab Guide - V1 37 pages
- Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student BookNo ratings yetDeep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book562 pages
- TRENDsCampus - ADVANCED - Hybrid Cloud Security - Lab Guidev2No ratings yetTRENDsCampus - ADVANCED - Hybrid Cloud Security - Lab Guidev2119 pages
- Microsoft Project Plan 1 Vs Plan 3 Vs Plan 5No ratings yetMicrosoft Project Plan 1 Vs Plan 3 Vs Plan 58 pages
- Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student GuideNo ratings yetDeep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide512 pages
- DD - CertProf - Ebook - 3.0 Edition 3 - FINAL - AUG2020No ratings yetDD - CertProf - Ebook - 3.0 Edition 3 - FINAL - AUG2020665 pages
- DeepDiscovery CertProf Student Manual FINAL Feb 19 v2No ratings yetDeepDiscovery CertProf Student Manual FINAL Feb 19 v2460 pages
- DDI AG (Deep Discovery Inspector Administrators Guide)=GUID 9316E73C EB97 4CD9 8188 6D44E8202933=9=en Us=No ratings yetDDI AG (Deep Discovery Inspector Administrators Guide)=GUID 9316E73C EB97 4CD9 8188 6D44E8202933=9=en Us=430 pages
- Deep Security 11.0 Training For Certified Professionals: Trend MicroNo ratings yetDeep Security 11.0 Training For Certified Professionals: Trend Micro2 pages
- XDR Threat Investigation - Lab Guide - V1-1No ratings yetXDR Threat Investigation - Lab Guide - V1-18 pages
- Conquering the Competition: Strategies for Standing Out in the Gaming Content LandscapeFrom EverandConquering the Competition: Strategies for Standing Out in the Gaming Content LandscapeNo ratings yet
- Cybersecurity for Executives: A Guide to Protecting Your BusinessFrom EverandCybersecurity for Executives: A Guide to Protecting Your BusinessNo ratings yet
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet
- Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficFrom EverandBlog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficNo ratings yet
- The Ultimate Career Toolkit : A Step-by-Step Guide to Landing Your Dream JobFrom EverandThe Ultimate Career Toolkit : A Step-by-Step Guide to Landing Your Dream JobNo ratings yet
- Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingFrom EverandAdvanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingNo ratings yet
- Coming Back to the Present: A New ACT Self-Help Workbook to Manage Stress & Live a More Rich, Full, Meaningful LifeFrom EverandComing Back to the Present: A New ACT Self-Help Workbook to Manage Stress & Live a More Rich, Full, Meaningful LifeNo ratings yet
- The Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionFrom EverandThe Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionNo ratings yet
- TRENDsCampus Detection and Response Lab Guide-v3 (8)No ratings yetTRENDsCampus Detection and Response Lab Guide-v3 (8)31 pages
- Series 7 Exam Prep Complete Review and Study Guide for FINRA Certification, Including Practice Questions, Proven Test Strategies, Expert Tips, and Detailed Exam Topic ExplanationsFrom EverandSeries 7 Exam Prep Complete Review and Study Guide for FINRA Certification, Including Practice Questions, Proven Test Strategies, Expert Tips, and Detailed Exam Topic ExplanationsNo ratings yet
- Building Correlation Searches With Splunk Enterprise Security Exercise GuideNo ratings yetBuilding Correlation Searches With Splunk Enterprise Security Exercise Guide6 pages
- Darktrace_TIR_VISITEDHUMOR-020-2019-06-08No ratings yetDarktrace_TIR_VISITEDHUMOR-020-2019-06-084 pages
- Getting Started With Endpoint Security - Student Guide - V1No ratings yetGetting Started With Endpoint Security - Student Guide - V131 pages
- Baqati International Calling Destination-1No ratings yetBaqati International Calling Destination-13 pages
- DH PTZ85848 HNF PA - S0 - Datasheet20240117No ratings yetDH PTZ85848 HNF PA - S0 - Datasheet202401174 pages
- How To Install and Enable SNMP Windows 2012 ServerNo ratings yetHow To Install and Enable SNMP Windows 2012 Server16 pages
- Rockwell Software Prompts To Log On To FactoryTalkNo ratings yetRockwell Software Prompts To Log On To FactoryTalk10 pages
- Microsoft Ms 900 Dumps by Hanson 24 05 2024 7qa VceexamstestNo ratings yetMicrosoft Ms 900 Dumps by Hanson 24 05 2024 7qa Vceexamstest8 pages
- Kaspersky Endpoint Security For Windows manual-11.8.0-en-USNo ratings yetKaspersky Endpoint Security For Windows manual-11.8.0-en-US747 pages
- Requirement and Prerequisites: Aveva Intouch 2020 Installation Guide100% (2)Requirement and Prerequisites: Aveva Intouch 2020 Installation Guide6 pages
- HP Laptop 15-db0031nr: Beautifully Designed To Do It AllNo ratings yetHP Laptop 15-db0031nr: Beautifully Designed To Do It All2 pages
- OS - Windows 10, Windows Server 2016 - Compatibilty List - 8.6 PDFNo ratings yetOS - Windows 10, Windows Server 2016 - Compatibilty List - 8.6 PDF46 pages
- Cara Forced Delete Partition DLM Sesebuah Hard DiskNo ratings yetCara Forced Delete Partition DLM Sesebuah Hard Disk6 pages
