Certified Safe Software Service

To reduce the number of files and messages in the Virtual Analyzer queues, configure filters for Virtual Analyzer submission.

  • Object analysis is paused and settings are disabled whenever Virtual Analyzer is being configured.

  • Forcing file analysis and performing message filtering for Virtual Analyzer submission can impact system performance.

  1. Go to Administration > Scanning / Analysis > Virtual Analyzer.
  2. Specify Settings.



    Network Connection


    This section is available when Deep Discovery Email Inspector is using an internal Virtual Analyzer.

    When the internal Virtual Analyzer is set to connect to the Internet through a proxy server, reconfigure proxy settings after a configuration restore or firmware update on Deep Discovery Email Inspector.

    From the Network type drop-down list, select how Virtual Analyzer connects to the network. For information about network types, see Virtual Analyzer Network Types.

    If you select the Custom Network type, select a specific port for Virtual Analyzer traffic from the Sandbox port drop-down list and click Configure IPv4 settings to configure the network settings.

    If a proxy server is required for the internal Virtual Analyzer to connect to the Internet, select Use a dedicated proxy server from the drop-down list and provide the following information:

    • Server address

    • Port

    • Proxy server requires authentication: If authentication is required, select this check box and type the user name and password.

    File Submission Filters

    Files: Select the file types to have Virtual Analyzer perform one of the following actions:

    • Submit only highly suspicious files

    • Submit highly suspicious files and force analyze all selected file types

    To reduce the likelihood of false-positive detections, select Do not analyze files found safe by the Certified Safe Software Service.

    For details, see Certified Safe Software Service.

    URL Submission Filters

    By default, URLs found safe are first submitted to the URL pre-filter before submitting to Virtual Analyzer. For messages with safe URLs, you can add one or more subject keywords to filter these messages for Virtual Analyzer submission. Safe URLs in matched messages are sent directly to Virtual Analyzer, bypassing the URL pre-filter.

    Keyword: Type a subject keyword and click Add to add the keyword to the list.

    To delete a keyword from the list, select an entry and click Delete.


    You can specify up to 50 keywords.

    Timeout Setting

    Select how long Virtual Analyzer should wait before timing out a submitted object. By default, when the submission timeout is reached, Virtual Analyzer sends out submitted objects waiting in the queue without analysis. Timed out objects still receive risk levels from other scan engines.

    You can configure threat protection rules in policies to perform actions on timed out objects.

    For more information, see Configuring a Threat Protection Rule.

  3. Click Save.

Certified Safe Software Service

Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safe files. Trend Micro datacenters are queried to check submitted files against the database.

Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. This process:

  • Saves computing time and resources

  • Reduces the likelihood of false positive detections


CSSS is enabled by default. Trend Micro recommends using the default settings.

Virtual Analyzer Network Types

When simulating file and URL behavior, Virtual Analyzer uses its own analysis engine to determine the risk of an object. The selected network type also determines whether submitted objects can connect to the Internet.

After configuring the network connection, click Test Internet Connectivity to verify that Virtual Analyzer can connect to the Internet.


Internet access improves analysis by allowing samples to access C&C callback addresses or other external links.

Network Type


Management network

Direct Virtual Analyzer traffic through the management port.


Enabling connections to the management network may result in malware propagation and other malicious activity in the network.

Custom network

Virtual Analyzer connects to the Internet using a port other than the management port.


Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions.

No network access

Isolate Virtual Analyzer traffic within the sandbox environment. The environment has no connection to an outside network.


Virtual Analyzer has no Internet connection and relies only on its analysis engine.

No URLs are submitted for analysis.

Virtual Analyzer File Submission Filters

In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of file types.

The following table shows the displayed file categories, contained full file types, and file extensions.

Table 1. Virtual Analyzer File Submission Filters

Displayed File Category

Full File Type

Example File Extensions

Flash and other multimedia

Scalable Vector Graphics (SVG)

Adobe™ Shockwave™ Flash file

Apple QuickTime media





Hypertext Markup Language file

Web page archive file








Java Archive (JAR)

Java class file




Microsoft™ Word™ document

Microsoft™ OLE document

Microsoft™ Office Word™ (2007 or later) document

Microsoft™ Powerpoint™ presentation

Microsoft™ Office PowerPoint™ (2007 or later) presentation

Microsoft™ Excel™ spreadsheet

Microsoft™ Office Excel™ (2007 or later) spreadsheet

Microsoft™ Office™ 2003 XML file

Microsoft™ Word™ 2003 XML document

Microsoft™ Excel™ 2003 XML spreadsheet

Microsoft™ PowerPoint™ 2003 XML presentation

Microsoft™ Publisher 2016

Hancom™ Hancell spreadsheet

Hancom™ Hangul Word Processor (HWP) document

Hancom™ Hangul Word Processor (2014 or later) (HWPX) document

JustSystems™ Ichitaro™ document

JungUm™ Global document

Microsoft™ Outlook™ Item

Microsoft™ symbolic link format

Microsoft™ Excel web query file

Comma-separated values (CSV) file


Only CSV files with suspicious DDEAuto commands are submitted to Virtual Analyzer for analysis.



























Office with Macros

Microsoft™ Office Word™ (2007 or later) macro-enabled document

Microsoft™ Office PowerPoint™ (2007 or later) macro-enabled presentation

Microsoft™ Office Excel™ (2007 or later) macro-enabled spreadsheet










Other document formats

Compiled HTML (CHM) help file

Microsoft™ Windows™ Shell Binary Link shortcut

Microsoft™ Rich Text Format (RTF) document





Adobe™ Portable Document Format (PDF)



Microsoft™ Windows™ Batch file

Microsoft™ Windows™ Command Script file

JavaScript™ file

JavaScript™ encoded script file

HTML Application file

Microsoft™ Windows™ PowerShell script file

Visual Basic™ encoded script file

Visual Basic™ script file

Microsoft™ Windows™ script file

Internet shortcut file


Only plain text or generic script files with .js or .vbs true file types are submitted to Virtual Analyzer for analysis.











Windows executables

AMD™ 64-bit DLL file

Microsoft™ Windows™ 16-bit DLL file

Microsoft™ Windows™ 32-bit DLL file

Executable file (EXE)

AMD™ 64-bit EXE file


Microsoft™ DOS EXE file

IBM™ OS/2 EXE file



MSIL Portable executable file

Microsoft™ Windows™ 16-bit EXE file

Microsoft™ Windows™ 32-bit EXE file

ARJ compressed EXE file

ASPACK 1.x compressed 32-bit EXE file

ASPACK 2.x compressed 32-bit EXE file

GNU UPX compressed EXE file

LZH compressed EXE file

LZH compressed EXE file for ZipMail

MEW 0.5 compressed 32-bit EXE file

MEW 1.0 compressed 32-bit EXE file

MEW 1.1 compressed 32-bit EXE file

PEPACK compressed executable

PKWARE™ PKLITE™ compressed DOS EXE file

PETITE compressed 32-bit executable file

PKZIP compressed EXE file

WWPACK compressed executable file










Virtual Analyzer can scan the files that match the supported file types in an archive file. The following table lists the supported archive file types.

Table 2. Archive file types

True File Type

Full File Type

Example File Extensions


7-zip archive



WinAce archive



Fujitsu AMG archive



ARJ archive



BinHex file



BZIP2 archive




Microsoft™ Cabinet file



CPIO archive




GNU ZIP archive




iCalendar file



LHARC compressed archive




Lempel-Ziv-Welch (LZW) Compressed Amiga archive



Multipurpose Internet Mail Extensions (MIME) Base64 file




Microsoft™ Outlook™ Item



Roshal Archive (RAR) archive



Smith Micro™ StuffIt archive




TAR archive




Microsoft™ Outlook™ Transport Neutral Encapsulation Format (TNEF) file





Universal Disk Format file



Uuencode file



vCalendar file



XZ archive





The following table lists the Mac file types that Deep Discovery Email Inspector automatically submits to the external Mac sandbox for analysis, regardless of the submission settings. These files are not submitted to the internal Virtual Analyzer.


If you configure Deep Discovery Email Inspector to use an external Virtual Analyzer and select the Java file category, Deep Discovery Email Inspector also submits Java archive (.jar) and class (.class) files to the external Mac sandbox for analysis.

Table 3. Mac file types

True File Type

Full File Type

Example File Extensions


Apple disk image file



Mac OS X installation file



Mach object file