Detected Risk | Trend Micro Service Central

Views:

Detected risk is potential danger exhibited by a suspicious email message.

Deep Discovery Email Inspector assesses email message risk using multi-layered threat analysis. Upon receiving an email message, Deep Discovery Email Inspector email scanners check the email message for known threats in the Trend Micro Smart Protection Network and Trend Micro Advanced Threat Scanning Engine. If the email message has unknown or suspicious characteristics, the email scanners send file attachments and embedded URLs to Virtual Analyzer for further analysis. Virtual Analyzer simulates the suspicious file and URL behavior to identify potential threats. Deep Discovery Email Inspector assigns a risk level to the email message based on the highest risk assigned between the Deep Discovery Email Inspector scanners and Virtual Analyzer.

For details about how Deep Discovery Email Inspector investigates email messages, see A New Solution.

Email Message Risk Levels

The following table explains the email message risk levels after investigation. View the table to understand why an email message was classified as high, medium, or low risk.

Table 1. Email Message Risk Definitions
Risk Level	Description
High	A high-risk email message contains: Attachments with unknown threats detected as high risk by Virtual Analyzer Attachments detected as high risk based on YARA rules Attachments detected as high risk based on suspicious file matching Attachments detected by Predictive Machine Learning and Email Malware Threat Scan Business Email Compromise Links detected as high risk by Virtual Analyzer Links detected as high risk based on suspicious URL matching
Medium	A medium-risk email message contains: Known malware Known phishing threats Known dangerous links Attachments detected as medium risk based on YARA rules Links detected as medium risk based on suspicious URL matching
Low	A low-risk email message contains: Known highly suspicious or suspicious links (Aggressive mode) Links detected as low risk by Virtual Analyzer Attachments detected as low risk by Virtual Analyzer Attachments detected as low risk based on YARA rules Links detected as low risk based on suspicious URL matching Social engineering attacks Business Email Compromise (BEC) scams
No risk	A no-risk email message: Contains no suspicious attachments or links Contains known highly suspicious or suspicious links (Standard mode) Matches policy exception criteria
Unrated	An unrated email message falls under any of the following categories: Bypassed scanning: Contains an attachment with a compression layer greater than 20 (the file has been compressed over twenty times) Unscannable archive: Contains a password-protected archive that could not be extracted and scanned using the password list or heuristically obtained passwords Unscannable message or attachment: Matches any of the following criteria: Malformed email format A system timeout occurred when Virtual Analyzer attempted to analyze the message A system timeout occurred when Virtual Analyzer attempted to analyze some of the attachments or links and no other risks were detected Virtual Analyzer was unable to analyze all of the attachments or links and no other risks were detected
Unavailable	Deep Discovery Email Inspector does not assign a risk level to a spam/graymail message or an email message with content violation or DLP incidents.

Virtual Analyzer Risk Levels

The following table explains the Virtual Analyzer risk levels after object analysis. View the table to understand why a suspicious object was classified as high or low risk.

Risk Level	Description
High	The object exhibited highly suspicious characteristics that are commonly associated with malware. Examples: Malware signatures; known exploit code Disabling of security software agents Connection to malicious network destinations Self-replication; infection of other files Dropping or downloading of executable files by documents
Low	The object exhibited mildly suspicious characteristics that are most likely benign.
No Risk	The object did not exhibit suspicious characteristics.

Risk Level

Description

High

The object exhibited highly suspicious characteristics that are commonly associated with malware.

Examples:

Malware signatures; known exploit code
Disabling of security software agents
Connection to malicious network destinations
Self-replication; infection of other files
Dropping or downloading of executable files by documents

Low

The object exhibited mildly suspicious characteristics that are most likely benign.

No Risk

The object did not exhibit suspicious characteristics.