Submission Policy Matching | Trend Micro Service Central

Views:

The following describes the submission policy matching guidelines in Deep Discovery Analyzer:

File samples:
- For single file samples, Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy. If no match is found, the default policy applies.
- For archive samples:
  - If extracted files match a submission policy and the default policy, Deep Discovery Analyzer uses the Virtual Analyzer image specified in the matched policy and the default policy to analyze files.
  - If some extracted files match a policy and no policy match is found for other files in the same archive sample, Deep Discovery Analyzer applies the matched policy.
  - If some extracted files match the default policy and no policy match is found for other files in the same archive sample, Deep Discovery Analyzer applies the default policy.
  - If no policy match is found for all extracted files in an archive sample, Deep Discovery Analyzer applies the default policy with the unsupported analysis result (displayed as a gray icon () in the Risk Level field on the Submissions screen).
URL samples:
- With prefilter scanning:
  - If the prefilter scan result is non-malicious, Deep Discovery Analyzer does not apply any policies nor analyze the sample using a specific Virtual Analyzer image.
  - If the prefilter scan result is potentially malicious, Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy by submitter (not by file type). If no match is found, the default policy applies.
  - If URL samples link to downloadable files, Deep Discovery Analyzer analyzes the downloaded file samples using the Virtual Analyzer image specified in the matched policy. If no match is found, the default policy applies.
- Without prefilter scanning:
  
  Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy by submitter (not by file type). If no match is found, the default policy applies.

Note:

If the Trend Micro Sandbox for macOS service is enabled for supported Mac file type, Deep Discovery Analyzer sends samples to Sandbox for macOS for analysis and includes the result in the analysis report.

For example, Deep Discovery Analyzer contains three submission policies listed in the following table.

Table 1. Submission policy examples
Policy Name	Submitter	File Type	Image
Policy A	Deep Discover Inspector	`EXE`	Windows 7
Policy A	Deep Discover Inspector	`CSV`	Windows XP
Policy B	Apex One	`PPT`	Windows 10
Default	Any	`SH` `ELF`	CentOS 7
Default	Any	`EXE` `CSV` `PPT` `DOC` `PDF`	Windows 8 Windows 10

Note:

Deep Discovery Analyzer automatically adds the EXE, CSV, and PPT file types to the default policy based on the user-defined policies (Policy A and Policy B).
If the default policy is the only policy matched, Deep Discovery Analyzer analyzes the SH and ELF files using the CentOS 7 image. Any supported Windows file types are analyzed using the Windows images.

The following table shows the matched policies and the Virtual Analyzer image used for samples submitted to Deep Discovery Analyzer.

Table 2. Policy matching result examples
Sample	File Type	Submitter	Matched Policy	Image Used
File	`EXE`	Deep Discovery Inspector	Policy A	Windows 7
	`CSV`	Deep Discovery Inspector	Policy A	Windows XP
	`EXE`	Apex One	Default	Windows 8 Windows 10
	`PPT`	Apex One	Policy B	Windows 10
	`SH`	Apex One	Default	CentOS 7
Archive	`ZIP` (`EXE`)	Deep Discovery Inspector	Policy A	Windows 7
	`ZIP` (`EXE` and `CSV`)	Deep Discovery Inspector	Policy A	Windows 7 Windows XP
	`ZIP` (`EXE`, `CSV`, `DOC`, and `PDF`)	Deep Discovery Inspector	Policy A	Windows 7 Windows XP
	`ZIP` (`EXE`, `CSV`, `DOC`, and `PDF`)	Deep Discovery Inspector	Default	Windows 8 Windows 10
	`ZIP` (`EXE`, `DOC`, and `PDF`)	Deep Discovery Inspector	Policy A	Windows 7
	`ZIP` (`EXE`, `DOC`, and `PDF`)	Deep Discovery Inspector	Default	Windows 8 Windows 10
	`HTML`	Deep Discovery Inspector	Default	Windows 8 Windows 10 Result: Unsupported
	`ZIP` (`EXE` and `HTML`)	Deep Discovery Inspector	Policy A	Windows 7
	`ZIP` (`EXE`, `CSV`, `DOC`, and `PDF`)	Apex One	Default	Windows 8 Windows 10
URL (from prefilter with no policy matching)	Not applicable	Any	Not applicable	All images
URL (without file samples)	Not applicable	Deep Discovery Inspector	Policy A	Windows 7 Windows XP
URL (without file samples)	Not applicable	ScanMail for Microsoft Exchange	Default	Windows 8 Windows 10
URL (with file samples)	`EXE`	Deep Discovery Inspector	Policy A	Windows 7
	`ZIP` (`EXE`, `DOC`, and `PDF`)	Deep Discovery Inspector	Policy A	Windows 7
	`ZIP` (`EXE`, `DOC`, and `PDF`)	Deep Discovery Inspector	Default	Windows 8 Windows 10