Views:
The following describes the submission policy matching guidelines in Deep Discovery Analyzer:
  • File samples:
    • For single file samples, Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy. If no match is found, the default policy applies.
    • For archive samples:
      • If extracted files match a submission policy and the default policy, Deep Discovery Analyzer uses the Virtual Analyzer image specified in the matched policy and the default policy to analyze files.
      • If some extracted files match a policy and no policy match is found for other files in the same archive sample, Deep Discovery Analyzer applies the matched policy.
      • If some extracted files match the default policy and no policy match is found for other files in the same archive sample, Deep Discovery Analyzer applies the default policy.
      • If no policy match is found for all extracted files in an archive sample, Deep Discovery Analyzer applies the default policy with the unsupported analysis result (displayed as a gray icon (grid-not-analyzed.png) in the Risk Level field on the Submissions screen).
  • URL samples:
    • With prefilter scanning:
      • If the prefilter scan result is non-malicious, Deep Discovery Analyzer does not apply any policies nor analyze the sample using a specific Virtual Analyzer image.
      • If the prefilter scan result is potentially malicious, Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy by submitter (not by file type). If no match is found, the default policy applies.
      • If URL samples link to downloadable files, Deep Discovery Analyzer analyzes the downloaded file samples using the Virtual Analyzer image specified in the matched policy. If no match is found, the default policy applies.
    • Without prefilter scanning:
      Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy by submitter (not by file type). If no match is found, the default policy applies.
Note
Note
If the Trend Micro Sandbox for macOS service is enabled for supported Mac file type, Deep Discovery Analyzer sends samples to Sandbox for macOS for analysis and includes the result in the analysis report.
For example, Deep Discovery Analyzer contains three submission policies listed in the following table.

Submission policy examples

Policy Name
Submitter
File Type
Image
Policy A
Deep Discover Inspector
EXE
Windows 7
CSV
Windows XP
Policy B
Apex One
PPT
Windows 10
Default
Any
  • SH
  • ELF
CentOS 7
  • EXE
  • CSV
  • PPT
  • DOC
  • PDF
  • Windows 8
  • Windows 10
Note
Note
  • Deep Discovery Analyzer automatically adds the EXE, CSV, and PPT file types to the default policy based on the user-defined policies (Policy A and Policy B).
  • If the default policy is the only policy matched, Deep Discovery Analyzer analyzes the SH and ELF files using the CentOS 7 image. Any supported Windows file types are analyzed using the Windows images.
The following table shows the matched policies and the Virtual Analyzer image used for samples submitted to Deep Discovery Analyzer.

Policy matching result examples

Sample
File Type
Submitter
Matched Policy
Image Used
File
EXE
Deep Discovery Inspector
Policy A
Windows 7
CSV
Deep Discovery Inspector
Policy A
Windows XP
EXE
Apex One
Default
  • Windows 8
  • Windows 10
PPT
Apex One
Policy B
Windows 10
SH
Apex One
Default
CentOS 7
Archive
ZIP (EXE)
Deep Discovery Inspector
Policy A
Windows 7
ZIP (EXE and CSV)
Deep Discovery Inspector
Policy A
  • Windows 7
  • Windows XP
ZIP (EXE, CSV, DOC, and PDF)
Deep Discovery Inspector
Policy A
  • Windows 7
  • Windows XP
Default
  • Windows 8
  • Windows 10
ZIP (EXE, DOC, and PDF)
Deep Discovery Inspector
Policy A
Windows 7
Default
  • Windows 8
  • Windows 10
HTML
Deep Discovery Inspector
Default
  • Windows 8
  • Windows 10
Result: Unsupported
ZIP (EXE and HTML)
Deep Discovery Inspector
Policy A
Windows 7
ZIP (EXE, CSV, DOC, and PDF)
Apex One
Default
  • Windows 8
  • Windows 10
URL (from prefilter with no policy matching)
Not applicable
Any
Not applicable
All images
URL (without file samples)
Not applicable
Deep Discovery Inspector
Policy A
  • Windows 7
  • Windows XP
Not applicable
ScanMail for Microsoft Exchange
Default
  • Windows 8
  • Windows 10
URL (with file samples)
EXE
Deep Discovery Inspector
Policy A
Windows 7
ZIP (EXE, DOC, and PDF)
Deep Discovery Inspector
Policy A
Windows 7
Default
  • Windows 8
  • Windows 10