Virtual Analyzer

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files. Sandbox images allow observation of file behavior in an environment that simulates endpoints on your network without any risk of compromising the network.

Virtual Analyzer works in conjunction with Threat Connect, the Trend Micro global intelligence network that provides actionable information and recommendations for dealing with threats.

Cloud App Security sends suspicious files to Virtual Analyzer when a file exhibits suspicious characteristics and signature-based scanning technologies cannot find a known threat. Virtual Analyzer performs static analysis and behavior simulation in various runtime environments to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings.

Note:

A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples. Trend Micro Threat Connect correlates suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network to provide relevant and actionable intelligence.

Configuring Virtual Analyzer

  1. Select Virtual Analyzer.
  2. Select Enable Virtual Analyzer.
    Note:

    It takes three minutes on average for Virtual Analyzer, if enabled, to analyze and identify the risk of an attachment or file, and the time could be as long as 30 minutes for some files.

  3. Optionally select the Monitor and log only check box to enable Virtual Analyzer to work in monitor mode.
    Note:
    • Virtual Analyzer in monitor mode still analyzes suspicious messages and files sent by Cloud App Security, which, however, only records the messages and files in logs and delivers them to end users without taking any actions configured here. This helps evaluate the Virtual Analyzer capability with zero impact on mail flow and file sharing.

    • If Virtual Analyzer in monitor mode is enabled, all the following settings do not apply except that Cloud App Security notifies administrators upon detection of security risks, if enabled in Action.

  4. (Exchange Online only) Select the scope of email messages that Virtual Analyzer scanning applies to.
    • All messages

    • Incoming messages

      Note:

      Incoming messages means that this policy applies only to incoming email messages sent from non-internal domains.

  5. (Exchange Online only) Configure Approved Sender List.
    1. Select Enable the approved sender list.
    2. Specify a sender email address to exclude from scanning and click Add >.
      Note:

      Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.

    3. Optionally click Import to import sender email addresses in batches.
  6. Configure Action settings.
    Note:

    Virtual Analyzer assigns a risk level to analyzed files based on the file's behavior in the virtual sandbox. Select the action based on this assigned risk level.

    • Exchange Online policies
    Option Description

    Tag subject

    Cloud App Security adds keywords before email message subject (Risk Level: <subject> ) to inform the user that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content was infected and was replaced.

    Delete

    Cloud App Security deletes the entire email message and does not deliver the email message to the intended recipient.

    Quarantine

    Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and delivers the message unchanged.

    • SharePoint Online and OneDrive for Business policies
    Option Description

    Delete

    Cloud App Security deletes the file and replaces it with a replacement text file.

    Quarantine

    Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and delivers the file unchanged.

    Advanced Options

    Specify text to replace the original file content when a file is quarantined or deleted.

    • Box, Dropbox and Google Drive policies
    Option Description

    Delete

    Cloud App Security deletes the file and replaces it with a replacement text file.

    Quarantine

    Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and delivers the file unchanged.

    Advanced Options

    Specify text to replace the original file content when a file is quarantined.

  7. Configure Notification settings.
    Option Description

    Notify administrator

    Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    Notification threshold sets limits on messages to send. Threshold settings include:

    • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

    • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

    • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Exchange Online: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message, attachment, or file.

    SharePoint Online, OneDrive for Business, Box, Dropbox and Google Drive: Specify message details that notify the user who uploaded a file that Cloud App Security detected a security risk and took action on their file.

    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  8. Click Save or select another policy configuration on the left navigation to continue with additional rules.