Certified Safe Software Service

To reduce the number of files and messages in the Virtual Analyzer queues, configure filters for Virtual Analyzer submission.

Note:
  • Object analysis is paused and settings are disabled whenever Virtual Analyzer is being configured.

  • Forcing file analysis and performing message filtering for Virtual Analyzer submission can impact system performance.

  1. Go to Administration > Scanning / Analysis > Virtual Analyzer.
  2. Specify Settings.

    Option

    Description

    Network Connection

    Note:

    This section is available when Deep Discovery Email Inspector is using an internal Virtual Analyzer.

    When the internal Virtual Analyzer is set to connect to the Internet through a proxy server, reconfigure proxy settings after a configuration restore or firmware update on Deep Discovery Email Inspector.

    From the Network type drop-down list, select how Virtual Analyzer connects to the network. For information about network types, see Virtual Analyzer Network Types.

    If you select the Custom Network type, select a specific port for Virtual Analyzer traffic from the Sandbox port drop-down list and click Configure IPv4 settings to configure the network settings.

    If a proxy server is required for the internal Virtual Analyzer to connect to the Internet, select Use a dedicated proxy server from the drop-down list and provide the following information:

    • Server address

    • Port

    • Proxy server requires authentication: If authentication is required, select this check box and type the user name and password.

    File Submission Filters

    Files: Select the file types to have Virtual Analyzer perform one of the following actions:

    • Submit only highly suspicious files

    • Submit highly suspicious files and force analyze all selected file types

    To reduce the likelihood of false-positive detections, select Do not analyze files found safe by the Certified Safe Software Service.

    For details, see Certified Safe Software Service.

    URL Submission Filters

    By default, URLs found safe are first submitted to the URL pre-filter before submitting to Virtual Analyzer. For messages with safe URLs, you can add one or more subject keywords to filter these messages for Virtual Analyzer submission. Safe URLs in matched messages are sent directly to Virtual Analyzer, bypassing the URL pre-filter.

    Keyword: Type a subject keyword and click Add to add the keyword to the list.

    To delete a keyword from the list, select an entry and click Delete.

    Note:

    You can specify up to 50 keywords.

    Timeout Setting

    Select how long Virtual Analyzer should wait before timing out a submitted object. By default, when the submission timeout is reached, Virtual Analyzer sends out submitted objects waiting in the queue without analysis. Timed out objects still receive risk levels from other scan engines.

    You can configure threat protection rules in policies to perform actions on timed out objects.

    For more information, see Configuring a Threat Protection Rule.

  3. Click Save.

Certified Safe Software Service

Certified Safe Software Service (CSSS) is the Trend Micro cloud database of known safe files. Trend Micro datacenters are queried to check submitted files against the database.

Enabling CSSS prevents known safe files from entering the Virtual Analyzer queue. This process:

  • Saves computing time and resources

  • Reduces the likelihood of false positive detections

Tip:

CSSS is enabled by default. Trend Micro recommends using the default settings.

Virtual Analyzer Network Types

When simulating file and URL behavior, Virtual Analyzer uses its own analysis engine to determine the risk of an object. The selected network type also determines whether submitted objects can connect to the Internet.

After configuring the network connection, click Test Internet Connectivity to verify that Virtual Analyzer can connect to the Internet.

Note:

Internet access improves analysis by allowing samples to access C&C callback addresses or other external links.

Network Type

Description

Management network

Direct Virtual Analyzer traffic through the management port.

Important:

Enabling connections to the management network may result in malware propagation and other malicious activity in the network.

Custom network

Virtual Analyzer connects to the Internet using a port other than the management port.

Note:

Trend Micro recommends using an environment isolated from the management network, such as a test network with Internet connection but without proxy settings, proxy authentication, and connection restrictions.

No network access

Isolate Virtual Analyzer traffic within the sandbox environment. The environment has no connection to an outside network.

Note:

Virtual Analyzer has no Internet connection and relies only on its analysis engine.

No URLs are submitted for analysis.

Virtual Analyzer File Submission Filters

In addition to highly suspicious files, Virtual Analyzer can also scan for a variety of file types.

The following table shows the displayed file categories, contained full file types, and file extensions.

Table 1. Virtual Analyzer File Submission Filters

Displayed File Category

Full File Type

Example File Extensions

Flash and other multimedia

Scalable Vector Graphics (SVG)

Adobe™ Shockwave™ Flash file

Apple QuickTime media

.svg

.swf

.mov

HTML

Hypertext Markup Language file

Web page archive file

.htm

.html

.xht

.xhtml

.mht

.mhtml

Java

Java Archive (JAR)

Java class file

.jar

.class

Office

Microsoft™ Word™ document

Microsoft™ OLE document

Microsoft™ Office Word™ (2007 or later) document

Microsoft™ Powerpoint™ presentation

Microsoft™ Office PowerPoint™ (2007 or later) presentation

Microsoft™ Excel™ spreadsheet

Microsoft™ Office Excel™ (2007 or later) spreadsheet

Microsoft™ Office™ 2003 XML file

Microsoft™ Word™ 2003 XML document

Microsoft™ Excel™ 2003 XML spreadsheet

Microsoft™ PowerPoint™ 2003 XML presentation

Microsoft™ Publisher 2016

Hancom™ Hancell spreadsheet

Hancom™ Hangul Word Processor (HWP) document

Hancom™ Hangul Word Processor (2014 or later) (HWPX) document

JustSystems™ Ichitaro™ document

JungUm™ Global document

Microsoft™ Outlook™ Item

Microsoft™ symbolic link format

Microsoft™ Excel web query file

Comma-separated values (CSV) file

Note:

Only CSV files with suspicious DDEAuto commands are submitted to Virtual Analyzer for analysis.

.doc

.dot

.docx

.dotx

.pps

.ppsx

.ppt

.pptx

.pub

.xla

.xls

.xlsx

.xlt

.xlm

.cell

.xml

.xlsb

.xltx

.hwp

.hwpx

.jtd

.gul

.msg

.slk

.iqy

.csv

Office with Macros

Microsoft™ Office Word™ (2007 or later) macro-enabled document

Microsoft™ Office PowerPoint™ (2007 or later) macro-enabled presentation

Microsoft™ Office Excel™ (2007 or later) macro-enabled spreadsheet

.docm

.dotm

.potm

.ppam

.ppsm

.pptm

.xlam

.xlsm

.xltm

Other document formats

Compiled HTML (CHM) help file

Microsoft™ Windows™ Shell Binary Link shortcut

Microsoft™ Rich Text Format (RTF) document

.chm

.lnk

.rtf

PDF

Adobe™ Portable Document Format (PDF)

.pdf

Scripts

Microsoft™ Windows™ Batch file

Microsoft™ Windows™ Command Script file

JavaScript™ file

JavaScript™ encoded script file

HTML Application file

Microsoft™ Windows™ PowerShell script file

Visual Basic™ encoded script file

Visual Basic™ script file

Microsoft™ Windows™ script file

Internet shortcut file

Note:

Only plain text or generic script files with .js or .vbs true file types are submitted to Virtual Analyzer for analysis.

.bat

.cmd

.js

.jse

.hta

.ps1

.vbe

.vbs

.wsf

.url

Windows executables

AMD™ 64-bit DLL file

Microsoft™ Windows™ 16-bit DLL file

Microsoft™ Windows™ 32-bit DLL file

Executable file (EXE)

AMD™ 64-bit EXE file

DIET DOS EXE file

Microsoft™ DOS EXE file

IBM™ OS/2 EXE file

LZEXE DOS EXE file

MIPS EXE file

MSIL Portable executable file

Microsoft™ Windows™ 16-bit EXE file

Microsoft™ Windows™ 32-bit EXE file

ARJ compressed EXE file

ASPACK 1.x compressed 32-bit EXE file

ASPACK 2.x compressed 32-bit EXE file

GNU UPX compressed EXE file

LZH compressed EXE file

LZH compressed EXE file for ZipMail

MEW 0.5 compressed 32-bit EXE file

MEW 1.0 compressed 32-bit EXE file

MEW 1.1 compressed 32-bit EXE file

PEPACK compressed executable

PKWARE™ PKLITE™ compressed DOS EXE file

PETITE compressed 32-bit executable file

PKZIP compressed EXE file

WWPACK compressed executable file

.com

.cpl

.crt

.dll

.drv

.exe

.ocx

.scr

.sys

Virtual Analyzer can scan the files that match the supported file types in an archive file. The following table lists the supported archive file types.

Table 2. Archive file types

True File Type

Full File Type

Example File Extensions

7ZIP

7-zip archive

.7z

ACE

WinAce archive

.ace

AMG

Fujitsu AMG archive

.amg

ARJ

ARJ archive

.arj

BINHEX

BinHex file

.hqx

BZIP2

BZIP2 archive

.bz2

.bzip2

CAB

Microsoft™ Cabinet file

.cab

CPIO

CPIO archive

.cpio

.cpgz

GZIP

GNU ZIP archive

.gzip

.gz

ICS

iCalendar file

.ics

LHA

LHARC compressed archive

.lha

.lharc

LZH

Lempel-Ziv-Welch (LZW) Compressed Amiga archive

.lzh

MIME

Multipurpose Internet Mail Extensions (MIME) Base64 file

.eml

.email

MSG

Microsoft™ Outlook™ Item

.msg

RAR

Roshal Archive (RAR) archive

.rar

SIT

Smith Micro™ StuffIt archive

.sit

.sitx

TAR

TAR archive

.tar

.tgz

TNEF

Microsoft™ Outlook™ Transport Neutral Encapsulation Format (TNEF) file

.tnef

.winmail.dat

.win.dat

UDF

Universal Disk Format file

.iso

UUCODE

Uuencode file

.uue

VCS

vCalendar file

.vcs

XZ

XZ archive

.xz

ZIP

PKWARE PKZIP archive (ZIP)

.zip

The following table lists the Mac file types that Deep Discovery Email Inspector automatically submits to the external Mac sandbox for analysis, regardless of the submission settings. These files are not submitted to the internal Virtual Analyzer.

Note:

If you configure Deep Discovery Email Inspector to use an external Virtual Analyzer and select the Java file category, Deep Discovery Email Inspector also submits Java archive (.jar) and class (.class) files to the external Mac sandbox for analysis.

Table 3. Mac file types

True File Type

Full File Type

Example File Extensions

DMG

Apple disk image file

.dmg

PKG

Mac OS X installation file

.pkg

Mach-O

Mach object file

.o