Configuring Virtual Analyzer Network and Filters

Views:

To reduce the number of files and messages in the Virtual Analyzer queues, configure filters for Virtual Analyzer submission.

Note:

Object analysis is paused and settings are disabled whenever Virtual Analyzer is being configured.
Forcing file analysis and performing message filtering for Virtual Analyzer submission can impact system performance.

Go to Administration > Scanning / Analysis > Virtual Analyzer.

Specify Settings.

Option	Description
Network Connection	Note: This section is available when Deep Discovery Email Inspector is using an internal Virtual Analyzer. When the internal Virtual Analyzer is set to connect to the Internet through a proxy server, reconfigure proxy settings after a configuration restore or firmware update on Deep Discovery Email Inspector. From the Network type drop-down list, select how Virtual Analyzer connects to the network. For information about network types, see Virtual Analyzer Network Types. If you select the Custom Network type, select a specific port for Virtual Analyzer traffic from the Sandbox port drop-down list and click Configure IPv4 settings to configure the network settings. If a proxy server is required for the internal Virtual Analyzer to connect to the Internet, select Use a dedicated proxy server from the drop-down list and provide the following information: Server address Port Proxy server requires authentication: If authentication is required, select this check box and type the user name and password.
File Submission Filters	Files: Select the file types to have Virtual Analyzer perform one of the following actions: Submit only highly suspicious files Submit highly suspicious files and force analyze all selected file types To reduce the likelihood of false-positive detections, select Do not analyze files found safe by the Certified Safe Software Service. For details, see Certified Safe Software Service.
URL Submission Filters	By default, URLs found safe are first submitted to the URL pre-filter before submitting to Virtual Analyzer. For messages with safe URLs, you can add one or more subject keywords to filter these messages for Virtual Analyzer submission. Safe URLs in matched messages are sent directly to Virtual Analyzer, bypassing the URL pre-filter. Keyword: Type a subject keyword and click Add to add the keyword to the list. To delete a keyword from the list, select an entry and click Delete. Note: You can specify up to 50 keywords.
Timeout Setting	Select how long Virtual Analyzer should wait before timing out a submitted object. By default, when the submission timeout is reached, Virtual Analyzer sends out submitted objects waiting in the queue without analysis. Timed out objects still receive risk levels from other scan engines. You can configure threat protection rules in policies to perform actions on timed out objects. For more information, see Configuring a Threat Protection Rule.

Click Save.

Certified Safe Software Service

Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safe files. Trend Micro datacenters are queried to check submitted files against the database.

Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. This process:

Saves computing time and resources
Reduces the likelihood of false positive detections

Tip:

CSSS is enabled by default. Trend Micro recommends using the default settings.

Virtual Analyzer Network Types

When simulating file and URL behavior, Virtual Analyzer uses its own analysis engine to determine the risk of an object. The selected network type also determines whether submitted objects can connect to the Internet.

After configuring the network connection, click Test Internet Connectivity to verify that Virtual Analyzer can connect to the Internet.

Note:

Internet access improves analysis by allowing samples to access C&C callback addresses or other external links.

Network Type	Description
Management network	Direct Virtual Analyzer traffic through the management port. Important: Enabling connections to the management network may result in malware propagation and other malicious activity in the network.
Custom network	Virtual Analyzer connects to the Internet using a port other than the management port. Note: Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions.
No network access	Isolate Virtual Analyzer traffic within the sandbox environment. The environment has no connection to an outside network. Note: Virtual Analyzer has no Internet connection and relies only on its analysis engine. No URLs are submitted for analysis.

Virtual Analyzer File Submission Filters

In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of file types.

The following table shows the displayed file categories, contained full file types, and file extensions.

Table 1. Virtual Analyzer File Submission Filters
Displayed File Category	Full File Type	Example File Extensions
Flash and other multimedia	Scalable Vector Graphics (SVG) Adobe™ Shockwave™ Flash file Apple QuickTime media	.svg .swf .mov
HTML	Hypertext Markup Language file Web page archive file	.htm .html .xht .xhtml .mht .mhtml
Java	Java Archive (JAR) Java class file	.jar .class
Office	Microsoft™ Word™ document Microsoft™ OLE document Microsoft™ Office Word™ (2007 or later) document Microsoft™ Powerpoint™ presentation Microsoft™ Office PowerPoint™ (2007 or later) presentation Microsoft™ Excel™ spreadsheet Microsoft™ Office Excel™ (2007 or later) spreadsheet Microsoft™ Office™ 2003 XML file Microsoft™ Word™ 2003 XML document Microsoft™ Excel™ 2003 XML spreadsheet Microsoft™ PowerPoint™ 2003 XML presentation Microsoft™ Publisher 2016 Hancom™ Hancell spreadsheet Hancom™ Hangul Word Processor (HWP) document Hancom™ Hangul Word Processor (2014 or later) (HWPX) document JustSystems™ Ichitaro™ document JungUm™ Global document Microsoft™ Outlook™ Item Microsoft™ symbolic link format Microsoft™ Excel web query file Comma-separated values (CSV) file Note: Only CSV files with suspicious DDEAuto commands are submitted to Virtual Analyzer for analysis.	.doc .dot .docx .dotx .pps .ppsx .ppt .pptx .pub .xla .xls .xlsx .xlt .xlm .cell .xml .xlsb .xltx .hwp .hwpx .jtd .gul .msg .slk .iqy .csv
Office with Macros	Microsoft™ Office Word™ (2007 or later) macro-enabled document Microsoft™ Office PowerPoint™ (2007 or later) macro-enabled presentation Microsoft™ Office Excel™ (2007 or later) macro-enabled spreadsheet	.docm .dotm .potm .ppam .ppsm .pptm .xlam .xlsm .xltm
Other document formats	Compiled HTML (CHM) help file Microsoft™ Windows™ Shell Binary Link shortcut Microsoft™ Rich Text Format (RTF) document	.chm .lnk .rtf
PDF	Adobe™ Portable Document Format (PDF)	.pdf
Scripts	Microsoft™ Windows™ Batch file Microsoft™ Windows™ Command Script file JavaScript™ file JavaScript™ encoded script file HTML Application file Microsoft™ Windows™ PowerShell script file Visual Basic™ encoded script file Visual Basic™ script file Microsoft™ Windows™ script file Internet shortcut file Note: Only plain text or generic script files with .js or .vbs true file types are submitted to Virtual Analyzer for analysis.	.bat .cmd .js .jse .hta .ps1 .vbe .vbs .wsf .url
Windows executables	AMD™ 64-bit DLL file Microsoft™ Windows™ 16-bit DLL file Microsoft™ Windows™ 32-bit DLL file Executable file (EXE) AMD™ 64-bit EXE file DIET DOS EXE file Microsoft™ DOS EXE file IBM™ OS/2 EXE file LZEXE DOS EXE file MIPS EXE file MSIL Portable executable file Microsoft™ Windows™ 16-bit EXE file Microsoft™ Windows™ 32-bit EXE file ARJ compressed EXE file ASPACK 1.x compressed 32-bit EXE file ASPACK 2.x compressed 32-bit EXE file GNU UPX compressed EXE file LZH compressed EXE file LZH compressed EXE file for ZipMail MEW 0.5 compressed 32-bit EXE file MEW 1.0 compressed 32-bit EXE file MEW 1.1 compressed 32-bit EXE file PEPACK compressed executable PKWARE™ PKLITE™ compressed DOS EXE file PETITE compressed 32-bit executable file PKZIP compressed EXE file WWPACK compressed executable file	.com .cpl .crt .dll .drv .exe .ocx .scr .sys

Virtual Analyzer can scan the files that match the supported file types in an archive file. The following table lists the supported archive file types.

Table 2. Archive file types
True File Type	Full File Type	Example File Extensions
7ZIP	7-zip archive	.7z
ACE	WinAce archive	.ace
AMG	Fujitsu AMG archive	.amg
ARJ	ARJ archive	.arj
BINHEX	BinHex file	.hqx
BZIP2	BZIP2 archive	.bz2 .bzip2
CAB	Microsoft™ Cabinet file	.cab
CPIO	CPIO archive	.cpio .cpgz
GZIP	GNU ZIP archive	.gzip .gz
ICS	iCalendar file	.ics
LHA	LHARC compressed archive	.lha .lharc
LZH	Lempel-Ziv-Welch (LZW) Compressed Amiga archive	.lzh
MIME	Multipurpose Internet Mail Extensions (MIME) Base64 file	.eml .email
MSG	Microsoft™ Outlook™ Item	.msg
RAR	Roshal Archive (RAR) archive	.rar
SIT	Smith Micro™ StuffIt archive	.sit .sitx
TAR	TAR archive	.tar .tgz
TNEF	Microsoft™ Outlook™ Transport Neutral Encapsulation Format (TNEF) file	.tnef .winmail.dat .win.dat
UDF	Universal Disk Format file	.iso
UUCODE	Uuencode file	.uue
VCS	vCalendar file	.vcs
XZ	XZ archive	.xz
ZIP	PKWARE PKZIP archive (ZIP)	.zip

The following table lists the Mac file types that Deep Discovery Email Inspector automatically submits to the external Mac sandbox for analysis, regardless of the submission settings. These files are not submitted to the internal Virtual Analyzer.

Note:

If you configure Deep Discovery Email Inspector to use an external Virtual Analyzer and select the Java file category, Deep Discovery Email Inspector also submits Java archive (.jar) and class (.class) files to the external Mac sandbox for analysis.

Table 3. Mac file types
True File Type	Full File Type	Example File Extensions
DMG	Apple disk image file	.dmg
PKG	Mac OS X installation file	.pkg
Mach-O	Mach object file	.o