Virtual Analyzer Suspicious Objects

Virtual Analyzer in managed products tracks and analyzes submitted samples. Virtual Analyzer flags suspicious objects based on their potential to expose systems to danger or loss. Supported objects include files (SHA-1 hash values), IP addresses, domains, and URLs.

Managed products with Virtual Analyzer send a list of suspicious objects to Control Manager.

For a list of supported managed products, see Suspicious Object Management and Handling Process.

Control Manager displays suspicious objects in Administration > Suspicious Objects > Virtual Analyzer Objects, in the Objects tab.


Control Manager administrators can add objects they consider suspicious but are not currently in the list of Virtual Analyzer suspicious objects by going to Administration > Suspicious Objects > User-Defined Objects.

The following columns show information about objects added to the suspicious objects list:

Table 1. Suspicious Objects Columns

Column Name



The suspicious object

If an arrow icon is available before the suspicious object, click the icon to expand the table with details about the suspicious object.

Risk Level

If the suspicious object is:

  • IP address or domain: The risk rating that typically shows is High or Medium (see risk rating descriptions below). This means that high- and medium-risk IP addresses/domains are treated as suspicious objects.


    An IP address or domain with the Low risk rating is also displayed if it is associated with other potentially malicious activities, such as downloading executable files.

  • URL: The risk rating that shows is High or Medium.

  • SHA-1 hash value: The risk rating that shows is always High.

Risk level descriptions:

  • High: Known malicious or involved in high-severity connections

  • Medium: IP address/domain/URL is unknown to reputation service

  • Low: Reputation service indicates previous compromise or spam involvement


Suspicious object type: IP address, domain, URL, or SHA-1 hash value


Date and time Virtual Analyzer will remove the object from the Objects tab

At Risk Endpoints

Endpoints with suspicious activities related to suspicious objects

Sort the column to see which suspicious object affect the most number of endpoints. To view details for all endpoints, go to the Handling Process column and click View. In the new screen that opens, click Impact Assessment.

If the status is Not yet assessed, select the object and then click Assess Impact to see the number of affected endpoints.

Impact assessment on suspicious objects requires a Trend Micro product called Deep Discovery Endpoint Sensor.

Control Manager also checks Web Reputation, URL filtering, network content inspection, and rule-based detection logs received from all managed products and then compares them with its list of suspicious objects. If there is a match from a specific endpoint and the managed product takes a "passive" action (such as Log, Pass, or Warn and Continue), the endpoint is also considered at risk.

Scan Action

Action configured by Control Manager administrators against the suspicious object

Control Manager automatically deploys the actions to certain managed products.

For a list of supported managed products, see Suspicious Object Management and Handling Process.

Handling Process

A link to a screen that breaks down the suspicious object handling process into phases. For details, see Handling Process.