Configuring Virtual Analyzer Network and Filters Parent topic

To reduce the number of files in the Virtual Analyzer queue, configure the file submission filters and enable exceptions.
Object analysis is paused and settings are disabled whenever Virtual Analyzer is being configured.

Procedure

  1. Go to AdministrationScanning / Analysis Virtual Analyzer.
  2. Specify Settings.
    Option
    Description
    Network Connection
    Select how Virtual Analyzer connects to the network.
    For information about network types, see Virtual Analyzer Network Types.
    Submission Filters
    Files: Submit only highly suspicious files or submit highly suspicious files and force analyze all selected file types.
    Exceptions: Select Certified Safe Software Service to reduce the likelihood of false-positive detections.
    For details, see Certified Safe Software Service.
    Timeout Settings
    Select how long Virtual Analyzer should wait before timing out a submitted object. Virtual Analyzer does not assign any risk level to objects that have time out. Timed out objects still receive risk levels from other scan engines.
  3. Click Save.

Certified Safe Software Service Parent topic

Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safe files. Trend Micro datacenters are queried to check submitted files against the database.
Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. This process:
  • Saves computing time and resources
  • Reduces the likelihood of false positive detections
Tip
Tip
CSSS is enabled by default. Trend Micro recommends using the default settings.

Virtual Analyzer Network Types Parent topic

When simulating file and URL behavior, Virtual Analyzer uses its own analysis engine to determine the risk of an object. Virtual Analyzer requires an Internet connection to query Trend Micro cloud services (examples: WRS, ERS, and CSSS) for available threat data. The selected network type also determines whether submitted objects can connect to the Internet.
After configuring the network connection, click Test Internet Connectivity to verify that Virtual Analyzer can connect to the Internet.
Note
Note
Internet access improves analysis by allowing samples to access C&C callback addresses or other external links.
Network Type
Description
Management Network
Direct Virtual Analyzer traffic through the management port.
Important
Important
Enabling connections to the management network may result in malware propagation and other malicious activity in the network.
Custom network
Virtual Analyzer connects to the Internet using a port other than the management port.
  1. Select a specific port for Virtual Analyzer traffic. Make sure that the port is available and able to connect directly to an outside network.
  2. Type the gateway that Virtual Analyzer will use to access outside networks.
  3. Type the DNS address that Virtual Analyzer will use to access outside networks.
Note
Note
Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions.
No network access
Isolate Virtual Analyzer traffic within the sandbox environment. The environment has no connection to an outside network.
Note
Note
Virtual Analyzer has no Internet connection and relies only on its analysis engine.
No URLs are submitted for analysis.

Virtual Analyzer File Submission Filters Parent topic

In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of file types.
The following table shows the displayed file categories, contained full file types, and file extensions.

Virtual Analyzer File Submission Filters

Displayed File Category
Full File Type
Example File Extensions
Flash and other multimedia
Adobe™ Shockwave™ Flash file
Apple QuickTime media
.swf
.mov
Java
Java™ Applet
Java Archive (JAR)
.Applet
.jApplet
.awt
.jar
Office
Microsoft™ Word™ document
Microsoft™ Office Word™ 2007 document
Microsoft™ Powerpoint™ presentation
Microsoft™ Office PowerPoint™ 2007 presentation
Microsoft™ Excel™ spreadsheet
Microsoft™ Office Excel™ 2007 spreadsheet
Microsoft™ Office™ 2003 XML file
Microsoft™ Word™ 2003 XML document
Microsoft™ Excel™ 2003 XML spreadsheet
Microsoft™ PowerPoint™ 2003 XML presentation
Hancom™ Hangul Word Processor (HWP) document
JustSystems™ Ichitaro™ document
JungUm™ Global document
Microsoft™ Outlook™ Item
.doc
.docx
.ppt
.pptx
.xls
.xlsx
.cell
.xml
.hwp
.jtd
.gul
.msg
Office with Macros
Microsoft™ Office Word™ 2007 macro-enabled document
Microsoft™ Office PowerPoint™ 2007 macro-enabled presentation
Microsoft™ Office Excel™ 2007 macro-enabled spreadsheet
.docm
.pptm
.xlsm
Other document formats
Compiled HTML (CHM) help file
Microsoft™ Windows™ Shell Binary Link shortcut
Microsoft™ Rich Text Format (RTF) document
Adobe™ Portable Document Format (PDF)
.chm
.lnk
.rtf
.pdf
Scripts
Text file
.js
.jse
.vbe
.vbs
Windows executables
AMD™ 64-bit DLL file
Microsoft™ Windows™ 16-bit DLL file
Microsoft™ Windows™ 32-bit DLL file
Executable file (EXE)
AMD™ 64-bit EXE file
DIET DOS EXE file
Microsoft™ DOS EXE file
IBM™ OS/2 EXE file
LZEXE DOS EXE file
MIPS EXE file
MSIL Portable executable file
Microsoft™ Windows™ 16-bit EXE file
Microsoft™ Windows™ 32-bit EXE file
ARJ compressed EXE file
ASPACK 1.x compressed 32-bit EXE file
ASPACK 2.x compressed 32-bit EXE file
GNU UPX compressed EXE file
LZH compressed EXE file
LZH compressed EXE file for ZipMail
MEW 0.5 compressed 32-bit EXE file
MEW 1.0 compressed 32-bit EXE file
MEW 1.1 compressed 32-bit EXE file
PEPACK compressed executable
PKWARE™ PKLITE™ compressed DOS EXE file
PETITE compressed 32-bit executable file
PKZIP compressed EXE file
WWPACK compressed executable file
.dll
.exe