Suspicious Object Management and Handling Process

The suspicious object handling process can be broken down into the following phases:

Sample Submission

Virtual Analyzer built into the following managed products processes submitted samples:

  • Deep Discovery Inspector 3.8: Uses administrator-configured file submission rules to determine the samples to submit to its Virtual Analyzer

  • Deep Discovery Analyzer 5.1: Receives samples uploaded by product administrators or sent by other Trend Micro products

Analysis

Virtual Analyzer in managed products tracks and analyzes submitted samples. Virtual Analyzer flags suspicious objects based on their potential to expose systems to danger or loss. Supported objects include files (SHA-1 hash values), IP addresses, domains, and URLs.

Distribution

Control Manager consolidates suspicious objects and scan actions against the objects and then distributes them to other products.

3.1. Virtual Analyzer Suspicious Objects

Managed products with Virtual Analyzer send a list of suspicious objects to Control Manager.

Control Manager displays suspicious objects in Administration > Suspicious Objects > Virtual Analyzer Objects, in the Objects tab.

3.3. User-Defined Suspicious Objects

Control Manager administrators can add objects they consider suspicious but are not currently in the list of Virtual Analyzer suspicious objects by going to Administration > Suspicious Objects > User-Defined Objects.

3.2. Exceptions to Virtual Analyzer Suspicious Objects

From the list of Virtual Analyzer suspicious objects (Administration > Suspicious Objects > Virtual Analyzer Objects), Control Manager administrators can select objects that are considered safe and then add them to an exception list.

The exception list displays in the Exceptions tab next to the Objects tab.

Control Manager sends the exception list back to the managed products with Virtual Analyzer. If a suspicious object from a managed product matches an object in the exception list, the product no longer sends it to Control Manager.

3.4. Suspicious Object Distribution

Control Manager consolidates Virtual Analyzer and user-defined suspicious objects (excluding exceptions) and sends them to certain managed products. These products synchronize and use all or some of these objects.

The following are the supported managed products and the required minimum versions:

  • Deep Discovery Inspector 3.8: Expands its list of suspicious objects to include user-defined objects and those detected by other Deep Discovery products

  • OfficeScan 11 SP1: Searches for suspicious files, IP addresses, and URLs during routine scans

  • Smart Protection Server 3.0 Patch 1 (standalone) or integrated with OfficeScan 11 SP1: Relays suspicious URL information to Trend Micro products (such as OfficeScan agents, ScanMail, and Deep Security) that send Web Reputation queries

3.5. Scan Actions

Configure scan actions (log, block, or quarantine) against suspicious objects that affect endpoints.

Block and quarantine are considered "active" actions, while "log" is considered "passive". If products take an active action, Control Manager declares the affected endpoints as mitigated. If the action is passive, endpoints are declared at risk.

Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.

  • Administration > Suspicious Objects > Virtual Analyzer Objects

  • Administration > Suspicious Objects > User-Defined Objects

Control Manager automatically deploys the actions to certain managed products.

The following are the supported managed products and the required minimum versions:

  • OfficeScan 11 SP1: Performs actions against Virtual Analyzer suspicious files, IP addresses, and URLs (actions against user-defined objects are not supported)

  • Smart Protection Server 3.0 Patch 1 (standalone) or integrated with OfficeScan 11 SP1: Relays actions against suspicious URLs to OfficeScan agents that send Web Reputation queries.



Impact Assessment

Impact assessment checks endpoints for suspicious activities associated with suspicious objects. Endpoints with confirmed suspicious activities are considered at risk.

Control Manager also considers endpoints to be at risk if products take "passive" actions against suspicious objects.

4.1. Impact Assessment

From the list of Virtual Analyzer suspicious objects in Administration > Suspicious Objects > Virtual Analyzer Objects, run impact assessment to determine at-risk endpoints.

Impact assessment requires Deep Discovery Endpoint Sensor. The minimum required version is 1.5.

This product only performs assessment and does not take action on at-risk endpoints.

4.3. Detection Matching

Control Manager also checks Web Reputation, URL filtering, network content inspection, and rule-based detection logs received from all managed products and then compares them with its list of suspicious objects. If there is a match from a specific endpoint and the managed product takes a "passive" action (such as Log, Pass, or Warn and Continue), the endpoint is also considered at risk.

4.2. "Passive" Scan Action

When the scan action configured in Control Manager and deployed to OfficeScan agents is "passive" (log), the affected endpoints are considered at risk.

At-risk Endpoints

To view the number of at-risk endpoints, go to Administration > Suspicious Objects > Virtual Analyzer Objects and see the At Risk Endpoints column.

To view detailed information for at-risk endpoints, go to the Object column and click the arrow icon (if available) before the suspicious object name. The screen expands to show a table with details about the suspicious object and at-risk endpoints.





Mitigation

The OfficeScan agent and other managed products perform "active" scan actions against suspicious objects.

5.1. "Active" Scan Actions

When the scan action configured in Control Manager and deployed to OfficeScan agents is "active" (block or quarantine), the affected endpoints are considered mitigated.

Endpoint Isolation

An alternative action is isolating at-risk endpoints. Perform this action if you need to perform a detailed investigation.

Only endpoints with OfficeScan agents can be isolated. The minimum required version is 11 SP1. The agents' firewall must be enabled.

For more information, see Endpoint Isolation and Connection Restoration.

5.2. Detection Matching

Control Manager also checks Web Reputation, URL filtering, network content inspection, and rule-based detection logs received from all managed products and then compares them with its list of suspicious objects. If there is a match from a specific endpoint and the managed product takes an "active" action (such as Block, Delete, Quarantine, or Override), Control Manager treats the endpoint as mitigated.