Submission Policy Matching

The following describes the submission policy matching guidelines in Deep Discovery Analyzer:

  • File samples:

    • For single file samples, Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy. If no match is found, the default policy applies.

    • For archive samples:

      • If extracted files match a submission policy and the default policy, Deep Discovery Analyzer uses the Virtual Analyzer image specified in the matched policy and the default policy to analyze files.

      • If some extracted files match a policy and no policy match is found for other files in the same archive sample, Deep Discovery Analyzer applies the matched policy.

      • If some extracted files match the default policy and no policy match is found for other files in the same archive sample, Deep Discovery Analyzer applies the default policy.

      • If no policy match is found for all extracted files in an archive sample, Deep Discovery Analyzer applies the default policy with the "Unsupported" analysis result.

  • URL samples:

    • With prefilter scanning:

      • If the prefilter scan result is non-malicious, Deep Discovery Analyzer does not apply any policies nor analyze the sample using a specific Virtual Analyzer image.

      • If the prefilter scan result is potentially malicious, Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy by submitter (not by file type). If no match is found, the default policy applies.

      • If URL samples link to downloadable files, Deep Discovery Analyzer analyzes the downloaded file samples using the Virtual Analyzer image specified in the matched policy. If no match is found, the default policy applies.

    • Without prefilter scanning:

      Deep Discovery Analyzer analyzes the samples using the Virtual Analyzer image specified in the matched policy by submitter (not by file type). If no match is found, the default policy applies.

Note:

If the Trend Micro Sandbox for macOS service is enabled for supported Mac file type, Deep Discovery Analyzer sends samples to Sandbox for macOS for analysis and includes the result in the analysis report.

For example, Deep Discovery Analyzer contains three submission policies listed in the following table.

Table 1. Submission policy examples

Policy Name

Submitter

File Type

Image

Policy A

Deep Discover Inspector

EXE

Windows 7

CSV

Windows XP

Policy B

Apex One

PPT

Windows 10

Default

Any

  • SH

  • ELF

CentOS 7

  • EXE

  • CSV

  • PPT

  • DOC

  • PDF

  • Windows 8

  • Windows 10

Note:
  • Deep Discovery Analyzer automatically adds the EXE, CSV, and PPT file types to the default policy based on the user-defined policies (Policy A and Policy B).

  • If the default policy is the only policy matched, Deep Discovery Analyzer analyzes the SH and ELF files using the CentOS 7 image. Any supported Windows file types are analyzed using the Windows images.

The following table shows the matched policies and the Virtual Analyzer image used for samples submitted to Deep Discovery Analyzer.

Table 2. Policy matching result examples

Sample

File Type

Submitter

Matched Policy

Image Used

File

EXE

Deep Discovery Inspector

Policy A

Windows 7

CSV

Deep Discovery Inspector

Policy A

Windows XP

EXE

Apex One

Default

  • Windows 8

  • Windows 10

PPT

Apex One

Policy B

Windows 10

SH

Apex One

Default

CentOS 7

Archive

ZIP (EXE)

Deep Discovery Inspector

Policy A

Windows 7

ZIP (EXE and CSV)

Deep Discovery Inspector

Policy A

  • Windows 7

  • Windows XP

ZIP (EXE, CSV, DOC, and PDF)

Deep Discovery Inspector

Policy A

  • Windows 7

  • Windows XP

Default

  • Windows 8

  • Windows 10

ZIP (EXE, DOC, and PDF)

Deep Discovery Inspector

Policy A

Windows 7

Default

  • Windows 8

  • Windows 10

HTML

Deep Discovery Inspector

Default

  • Windows 8

  • Windows 10

Result: Unsupported

ZIP (EXE and HTML)

Deep Discovery Inspector

Policy A

Windows 7

ZIP (EXE, CSV, DOC, and PDF)

Apex One

Default

  • Windows 8

  • Windows 10

URL (from prefilter with no policy matching)

Not applicable

Any

Not applicable

All images

URL (without file samples)

Not applicable

Deep Discovery Inspector

Policy A

  • Windows 7

  • Windows XP

Not applicable

ScanMail for Microsoft Exchange

Default

  • Windows 8

  • Windows 10

URL (with file samples)

EXE

Deep Discovery Inspector

Policy A

Windows 7

ZIP (EXE, DOC, and PDF)

Deep Discovery Inspector

Policy A

Windows 7

Default

  • Windows 8

  • Windows 10