p.writer-instructions {

    display: none;         <- HIDE THE COMMENTS


p.writer-instructions {

    display: block;         <- DISPLAY THE COMMENTS


Trend Micro Incorporated
August 2020

For example, December 21, 2017

Trend Micro™ Deep Discovery Inspector

NOTICE: This Readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at

TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at


1. About Deep Discovery Inspector

2. What's New

3. Documentation Set

4. System Requirements

5. Installation or Upgrade

6. Post-Installation Configuration

7. Known Issues

8. Contact Information

9. About Trend Micro

10. License Agreement

1. About Deep Discovery Inspector

Deep Discovery Inspector is a third-generation threat management solution, designed and architected by Trend Micro to deliver breakthrough advanced persistent threat (APT) and targeted attack visibility, insight, and control.

Trend Micro Deep Discovery Inspector is the result of thorough investigations of targeted attacks around the world, interviews with major customers, and the participation of a special product advisory board made up of leading G1000 organizations and government agencies.

Deep Discovery Inspector provides IT administrators with critical security information, alerts, and reports.

Deep Discovery Inspector deploys in offline monitoring mode. It monitors network traffic by connecting to the mirror port on a switch for minimal or no network interruption.

If available, use the 50-word description provided by Marketing.

CAUTION: These descriptions sometimes contain errors, such as word usage or grammar mistakes. If needed, edit the text before you paste it into your file. Verify that the information is current by checking with Marketing.

Back to top

2. What's New

See Chapter 1 of the Administrator's Guide or visit the following page for a list of new features and enhancements in this release:

This section describes the new functions/features. Content can be lifted directly from the Admin Guide.

Back to top

3. Documentation Set

To download or view electronic versions of the documentation set for this product, go to

Delete the documentation that does not apply for this product.

In addition to this Readme file, the documentation set for this product includes the following:

Back to top

4. System Requirements

Include only appropriate requirements for your product.

For Enterprise agent-server products, list the size of the package that will be deployed to each agent, both 32-bit and 64-bit. This way, customers know the bandwidth requirements for remote machines.

See the Installation and Deployment Guide for a list of system requirements.

Include only appropriate requirements for your product. For Enterprise agent-server products, list the size of the package that will be deployed to each agent, both 32-bit and 64-bit. This way, customers know the bandwidth requirements for remote machines.


Size of Deployment Package

32-bit OS (i.e. Windows XP, Windows 2003...) = 100MB

64-bit OS (i.e. Windows XP, Windows 2008) = 90MB

Size of the new install package (32/64-bit) via Agent Packager Tool

MSI Package (Conventional Scan) = 100 MB

MSI Package (Smart Scan) = 90 MB

Setup Package (Conventional Scan) = 80 MB

Setup Package (Smart Scan) = 80 MB

Estimated size (in terms of bandwidth) per agent

32-bit agent total = 757 KB

64-bit agent total = 1004 KB

TIP: For Small Business agent-server products, only include estimated size (in terms of bandwidth) to reduce the complexity for customers.

If you do need to list system requirements:

List the minimum/recommended requirements for running the product. Content can be lifted directly from the Installation Guide.

Avoid writing "and above" or "later" or other text to imply that the product works with future software versions. It's impossible to validate that a product works correctly with future versions. If the system requirements that you receive from QA include "and above" or similar text, challenge them.

Back to top

5. Installation or Upgrade

Only provide step-by-step instructions if not documented or if different from the information in the Installation Guide or Getting Started Guide.

See the Quick Start Card and Chapter 4 of the Installation and Deployment Guide for installation instructions.

See Chapter 6 of the Administrator's Guide for upgrade instructions.

Back to top

6. Post-Installation Configuration

Only provide step-by-step instructions if not documented or if different from the information in the Installation Guide or Getting Started Guide.

Explain what the customer should do after the installation. This could include additional steps, for example:

Restart the HTTP and FTP scanner services using the Control Panel.

If no further action required, write the following:

If upgrading from a previous version:

Include advice to register the product and update. Use the following boilerplate text if appropriate for your product.

Back to top

7. Known Issues

Describe things that are still not working or are causing a problem. Do not describe what caused the problem; only include the symptom the customer would have seen, and say it's been fixed.

Do not describe every known issue; describe only the major issues.

Describe how to resolve the problem or at least how to work around it if possible.

If the readme is for a beta release, review the list of issues before sending out the final readme - some of the issues may have been fixed and should no longer appear in the list.

Known issues in this release:


7.1 Scan issue(s)

a. The Manual Scan progress screen may display directories not specified as scan target.

b. Scan exclusion settings for spyware/grayware are disregarded after installation.

7.2 Citrix integration issue

When the "Client Console Access Restriction" is disabled on a Citrix server, notification messages display simultaneously in each logon session.

  1. When Deep Discovery Director - Network Analytics (DDD - NA) on-premises 3.0 is integrated with Deep Discovery Inspector and then you migrate to Deep Discovery Inspector 5.7 or above, the DDD - NA integration will not be migrated. To continue using DDD - NA after migration, perform a fresh install of Deep Discovery Director 5.2 (Install in consolidated mode > Install internal Network Analytics version) and reintegrate with Deep Discovery Inspector.

  2. Deep Discovery Inspector deployed in AWS truncates mirrored packets larger than 8947 bytes due to the AWS traffic mirror limitation. To avoid truncation, the MTU size in the traffic mirror source needs to be set to equal or less than 8947 bytes.

  3. The encapsulated remote mirroring feature in Deep Discovery Inspector (under Show advanced settings in the Administration > System Settings > Network Interface screen) supports only IPv4 addressing to receive mirrored traffic. IPv6 addressing is not supported.

  4. During peak resource usage on a Deep Discovery Inspector virtual appliance deployed with a virtual distributed switch that is configured for encapsulated remote mirroring, the ESXi mirroring source might drop packets during transmission.

  5. For Backup / Restore under Administration > System Maintenance, Deep Discovery Inspector 5.7 only supports configuration restored from Deep Discovery Inspector 5.5, 5.6 and 5.6 SP1. Also, cross-language backup/restore is not supported.

  6. Deep Discovery Inspector 5.0 and above cannot communicate with Smart Protection Server version 3.2 or earlier. To avoid this issue, upgrade your Smart Protection Servers to version 3.3, or go to Administration > Monitoring / Scanning > Web Reputation and then configure the smart protection source as "Trend Micro Smart Protection Network".

  7. Deep Discovery Inspector 5.0 and above cannot communicate with the following products or services when TLS enforcement for Secure Protocol is enabled:

    • Deep Discovery Analyzer versions earlier than 5.5
    • Network VirusWall Enforcer versions earlier than 3.5 SP3
    • Smart Protection Server versions earlier than 3.3
    • Threat Management Services Portal
    • Trend Micro Control Manager versions earlier than 7.0
    • TippingPoint Security Management System (SMS) versions earlier than 4.4
    • Check Point Open Platform for Security (OPSEC) versions earlier than R77.30
    • IBM Security Network Protection (XGS) versions earlier than 5.2
    • Palo Alto PAN-OS versions earlier than 7.0
    • Palo Alto Panorama versions earlier than 7.0
    • Microsoft Windows Server versions earlier than 2008 R2

  8. After opening the Deep Discovery Inspector management console from Control Manager or Apex Central using single sign-on, features that involve file upload behavior do not function, such as migration, hot fix application, and configuration import.

  9. When performing sandbox analysis using a Windows 10 image that requires higher system resources, the performance of Deep Discovery Inspector may be affected. Trend Micro recommends evaluating the system load capacity on Deep Discovery Inspector before using a Windows 10 sandbox environment for analysis.

  10. After resetting the one-time password on an integrated Check Point appliance, suspicious Objects and C&C callback addresses are not distributed to the Check Point appliance and the following message is generated in the Deep Discovery Inspector System Logs: "Unable to distribute suspicious objects to Check Point OPSEC. Verify that the Check Point OPSEC settings are correct and that no network problem exists." To avoid this issue, type and then save the new SIC one-time password in Deep Discovery Inspector.

  11. Performing concurrent file downloads or log exports can cause the management console to behave unexpectedly. To avoid this issue, wait until a file download or log export completes before starting another.

  12. After migration, information on some screens might not appear. To view the information, clear the browser cache and refresh the page.

  13. When opening an exported CSV file on a European Windows platform, all data might appear in the first column. To view the fields in separate columns, at the beginning of the CSV file, insert "sep=," as a new line and reopen the CSV file in Excel.

  14. After rebooting from migration, immediately performing an update or firmware upgrade causes the internal Virtual Analyzer to fail. To prevent this issue, after rebooting from migration, go to the Administration > Virtual Analyzer > Internal Virtual Analyzer > Status screen and ensure that the status is "Running" before performing an update or firmware upgrade.

  15. On the System Logs screen, if the selected time period contains a time change from standard time to daylight saving time or from daylight saving time to standard time, the timestamp information will shift after the time change occurs.

  16. With the management console open in Firefox, if logs are still loading on the Detections > All Detections screen when the Export button is clicked, the loading process will be interrupted. Use Chrome or Internet Explorer instead.

  17. After migration from a previous release, any customized dashboard configuration and dashboard layout changes are restored to default.

  18. When navigating to another tab immediately after landing on the Dashboard > Summary tab, tab layouts do not display correctly.

  19. When editing advance filters on the Affected Hosts and All Detections screens and the system reaches the configured session timeout, Deep Discovery Inspector logs off the management console without notice and unsaved edits are lost. To avoid this issue, save frequently, and go to Administration > System Settings > Session Timeout and extend the session timeout setting.

  20. IPv6 format cannot be used to configure IP settings for Proxy or for all Deep Discovery Inspector integrated products and services. Use IPv4 format instead.

  21. In the Threat Summary and Watch List widgets, if the selected time period is "Past 24 hours" and contains a time change from standard time to daylight savings time or from daylight savings time to standard time, the widgets display the wrong information. To view correct information when selecting a time period that contains a seasonal time change, select "Past 7 days" or "Past 30 days".

  22. In the Top Affected Hosts widget and all Top Trends widgets, if the selected time period is "Past 1 hour" or "Past 24 hours" and contains a time change from standard time to daylight savings time or from daylight savings time to standard time, the widgets display the wrong information. To view correct information when selecting a time period that contains a seasonal time change, select "Past 7 days" or "Past 30 days".

  23. When opening an exported .csv file on a Mac platform, Deep Discovery Inspector returns unreadable code in the first field. Open exported log files in Windows only.

  24. In log and on-demand report queries, the "Custom range" calendar displays in browser time, not in Deep Discovery Inspector system time. To align, set your browser time zone to your Deep Discovery Inspector system time zone.

  25. The URL of a detected "Suspicious URL" displayed in a notification email is an active link. Avoid clicking on the link to the detected URL.

  26. A manual "Update Components" action cannot be stopped while the action is in-process.

  27. On some Deep Discovery Inspector screens, the date and time format does not follow an international standard.

  28. Each management console user account is provided with a shared dashboard. Changes to one user account dashboard affect the dashboards of other user accounts.

  29. When uploading Virtual Analyzer images from an FTP server:

    • Enable the FTP server for both active and passive mode
    • Enable UTF-8, if the file path or name contains DBCS characters

  30. The Malicious Scanned Network Traffic widget does not include historical data in the displayed statistics after the Deep Discovery Inspector appliance is restarted. The correct data eventually displays after a few minutes.

  31. Traffic data in some widgets cannot be purged on the management console. The Scanned Traffic by Protocol widget displays data even after logs are deleted on the Administration > Storage Maintenance screen.

Back to top

8. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.

NOTE: This information is subject to change without notice.

Back to top

9. About Trend Micro

Smart, simple, security that fits

As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information

Copyright 2020, Trend Micro Incorporated. All rights reserved.

Substitute trademarks specific to your product for the %%%.

Trend Micro, the Trend Micro logo, Deep Discovery, Deep Discovery Inspector, Trend Micro Control Manager, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.

Back to top

10. License Agreement

View information about your license agreement with Trend Micro at:

Third-party licensing agreements can be viewed in the Deep Discovery Inspector management console by going to the Help > About screen.

Back to top