Features_and_Benefits
Threat Discovery Appliance uses the mirror port of the switch to monitor network traffic and detect known and potential security risks. Threat Discovery Appliance provides the following features and benefits:
The Virus Scan Engine is a file-based detection-scanning engine that has true file type, multi-packed files, and IntelliTrap detection. The scan engine performs the actual scanning across the network and uses the virus pattern file to analyze the files traveling throughout your network. The virus pattern file contains binary patterns of known viruses. Trend Micro regularly releases new virus pattern files when new threats arise. To take advantage of the latest components, regularly update Threat Discovery Appliance (see Component Updates).
The virus scan engine has the following methods of detection:
True File Type
Multi-packed/Multi-layered files
IntelliTrap
Virus writers can quickly rename files to disguise the file’s actual type. Threat Discovery Appliance confirms a file's true type by reading the file header and checking the file’s internally registered data type. Threat Discovery Appliance only scans file types capable of infection.
With true file type, Threat Discovery Appliance determines a file’s true type and skips inert file types. Inert file types include files such as .gif files, which make up a large volume of Internet traffic.
A multi-packed file is an executable file compressed using more than one packer or compression tool. For example, an executable file double or triple packed with Aspack, UPX, then with Aspack again.
A multi-layered file is an executable file placed in several containers or layers. A layer consists of a document, an archive, or a combination of both. An example of a multi-layered file is an executable file compressed using Zip compression and placed inside a document.
These methods hide malicious content by burying them under multiple layers of compression. Traditional antivirus programs cannot detect these threats because traditional antivirus programs do not support layered/compressed/packed file scanning.
Virus writers often use different file compression schemes to circumvent virus filtering. IntelliTrap helps Threat Discovery Appliance evaluate compressed files that could contain viruses or other Internet threats.
Threat Discovery Appliance uses a combination of patterns and heuristics to proactively detect network viruses. The product monitors network packets and triggers events that can indicate an attack against a network. The product can also scan traffic in specific network segments.
Network Content Inspection Engine is the program module used by Threat Discovery Appliance that scans the content that passes through the network layer.
Network Content Correlation Engine is the program module used by Threat Discovery Appliance that implements rules or policies defined by Trend Micro. Trend Micro regularly updates these rules after analyzing the patterns and trends that new and modified viruses exhibit.
A potential risk file is a file the Network Content Inspection Engine categorizes as potentially malicious. However, the Virus Scan Engine does not recognize known signature patterns of verified malicious files and does not categorize the file as malicious or as a security risk. Threat Discovery Appliance captures potential risk files, enters a log in the database, and saves a copy of the file. Threat Discovery Appliance captures the file session and threat information as a file header and stores data in the log file.
Threat Discovery Appliance deploys in offline mode. It monitors the network traffic by connecting to the mirror port on a switch for minimal or no network interruption.
Product deployment
Threat Discovery Appliance monitors network activities that use the HTTP, FTP, SMTP, SNMP, and P2P protocols.
See also: