Configuring Virtual Analyzer Network and Filters Parent topic

To reduce the number of files in the Virtual Analyzer queue, configure the file submission filters and enable exceptions.
Object analysis is paused and settings are disabled whenever Virtual Analyzer is being configured.

Procedure

  1. Go to AdministrationScanning / AnalysisVirtual Analyzer.
  2. Specify Settings.
    Option
    Description
    Network Connection
    Note
    Note
    This section is available when TippingPoint Advanced Threat Protection for Email is using an internal Virtual Analzyer.
    When the internal Virtual Analyzer is set to connect to the Internet through a proxy server, reconfigure proxy settings after a configuration restore or firmware update on TippingPoint Advanced Threat Protection for Email.
    From the Network type drop-down list, select how Virtual Analyzer connects to the network. For information about network types, see Virtual Analyzer Network Types.
    If you select the Custom Network type, select a specific port for Virtual Analyzer traffic from the Sandbox port drop-down list and click Configure IPv4 settings to configure the network settings.
    If a proxy server is required for the internal Virtual Analyzer to connect to the Internet, select Use a dedicated proxy server from the drop-down list and provide the following information:
    • Server address
    • Port
    • Proxy server requires authentication: If authentication is required, select this check box and type the user name and password.
    Submission Filters
    Files: Select the file types to have Virtual Analyzer perform one of the following actions:
    • Submit only highly suspicious files
    • Submit highly suspicious files and force analyze all selected file types
    Exceptions: Select Certified Safe Software Service to reduce the likelihood of false-positive detections.
    For details, see Certified Safe Software Service.
    Timeout Setting
    Select how long Virtual Analyzer should wait before timing out a submitted object. Virtual Analyzer does not assign any risk level to objects that have time out. Timed out objects still receive risk levels from other scan engines.
  3. Click Save.

Certified Safe Software Service Parent topic

Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safe files. Trend Micro datacenters are queried to check submitted files against the database.
Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. This process:
  • Saves computing time and resources
  • Reduces the likelihood of false positive detections
Tip
Tip
CSSS is enabled by default. Trend Micro recommends using the default settings.

Virtual Analyzer Network Types Parent topic

When simulating file and URL behavior, Virtual Analyzer uses its own analysis engine to determine the risk of an object. The selected network type also determines whether submitted objects can connect to the Internet.
After configuring the network connection, click Test Internet Connectivity to verify that Virtual Analyzer can connect to the Internet.
Note
Note
Internet access improves analysis by allowing samples to access C&C callback addresses or other external links.
Network Type
Description
Management network
Direct Virtual Analyzer traffic through the management port.
Important
Important
Enabling connections to the management network may result in malware propagation and other malicious activity in the network.
Custom network
Virtual Analyzer connects to the Internet using a port other than the management port.
Note
Note
Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions.
No network access
Isolate Virtual Analyzer traffic within the sandbox environment. The environment has no connection to an outside network.
Note
Note
Virtual Analyzer has no Internet connection and relies only on its analysis engine.
No URLs are submitted for analysis.

Virtual Analyzer File Submission Filters Parent topic

In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of file types.
The following table shows the displayed file categories, contained full file types, and file extensions.

Virtual Analyzer File Submission Filters

Displayed File Category
Full File Type
Example File Extensions
Flash and other multimedia
Scalable Vector Graphics (SVG)
Adobe™ Shockwave™ Flash file
Apple QuickTime media
.svg
.swf
.mov
Java
Java Archive (JAR)
Java class file
.jar
.class
Office
Microsoft™ Word™ document
Microsoft™ OLE document
Microsoft™ Office Word™ (2007 or later) document
Microsoft™ Powerpoint™ presentation
Microsoft™ Office PowerPoint™ (2007 or later) presentation
Microsoft™ Excel™ spreadsheet
Microsoft™ Office Excel™ (2007 or later) spreadsheet
Microsoft™ Office™ 2003 XML file
Microsoft™ Word™ 2003 XML document
Microsoft™ Excel™ 2003 XML spreadsheet
Microsoft™ PowerPoint™ 2003 XML presentation
Microsoft™ Publisher 2016
Hancom™ Hancell spreadsheet
Hancom™ Hangul Word Processor (HWP) document
Hancom™ Hangul Word Processor (2014 or later) (HWPX) document
JustSystems™ Ichitaro™ document
JungUm™ Global document
Microsoft™ Outlook™ Item
.doc
.dot
.docx
.dotx
.pps
.ppsx
.ppt
.pptx
.pub
.xla
.xls
.xlsx
.xlt
.xlm
.cell
.xml
.xlsb
.xltx
.hwp
.hwpx
.jtd
.gul
.msg
Office with Macros
Microsoft™ Office Word™ 2007 macro-enabled document
Microsoft™ Office PowerPoint™ 2007 macro-enabled presentation
Microsoft™ Office Excel™ 2007 macro-enabled spreadsheet
.docm
.dotm
.potm
.ppam
.ppsm
.pptm
.xlam
.xlsm
.xltm
Other document formats
Compiled HTML (CHM) help file
Microsoft™ Windows™ Shell Binary Link shortcut
Microsoft™ Rich Text Format (RTF) document
.chm
.lnk
.rtf
PDF
Adobe™ Portable Document Format (PDF)
.pdf
Scripts
Microsoft™ Windows™ Batch file
Microsoft™ Windows™ Command Script file
JavaScript™ file
JavaScript™ encoded script file
HTML Application file
Microsoft™ Windows™ PowerShell script file
Visual Basic™ encoded script file
Visual Basic™ script file
Microsoft™ Windows™ script file
.bat
.cmd
.js
.jse
.hta
.ps1
.vbe
.vbs
.wsf
Windows executables
AMD™ 64-bit DLL file
Microsoft™ Windows™ 16-bit DLL file
Microsoft™ Windows™ 32-bit DLL file
Executable file (EXE)
AMD™ 64-bit EXE file
DIET DOS EXE file
Microsoft™ DOS EXE file
IBM™ OS/2 EXE file
LZEXE DOS EXE file
MIPS EXE file
MSIL Portable executable file
Microsoft™ Windows™ 16-bit EXE file
Microsoft™ Windows™ 32-bit EXE file
ARJ compressed EXE file
ASPACK 1.x compressed 32-bit EXE file
ASPACK 2.x compressed 32-bit EXE file
GNU UPX compressed EXE file
LZH compressed EXE file
LZH compressed EXE file for ZipMail
MEW 0.5 compressed 32-bit EXE file
MEW 1.0 compressed 32-bit EXE file
MEW 1.1 compressed 32-bit EXE file
PEPACK compressed executable
PKWARE™ PKLITE™ compressed DOS EXE file
PETITE compressed 32-bit executable file
PKZIP compressed EXE file
WWPACK compressed executable file
.cpl
.crt
.dll
.drv
.exe
.ocx
.scr
.sys