<> Trend Micro Incorporated April 2021 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Director (Consolidated Mode) Version 5.3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: https://docs.trendmicro.com/en-us/enterprise/deep-discovery-director.aspx Patch/SP release documentation: https://downloadcenter.trendmicro.com Contents ===================================================================== 1. About Deep Discovery Director 2. What's New 3. Documentation Set 4. System Requirements 5. Installation or Upgrade 6. Post-Installation Configuration 7. Known Issues 8. Contact Information 9. About Trend Micro 10. License Agreement ===================================================================== 1. About Deep Discovery Director ======================================================================== Trend Micro Deep Discovery Director is a management solution that enables the following: * Centralized deployment of hotfixes, critical patches, firmware, and Virtual Analyzer images * Configuration replication * Log aggregation * Realtime threat detection monitoring and correlation * Threat intelligence management and sharing To accommodate different organizational and infrastructural requirements, Deep Discovery Director provides flexible deployment. Deep Discovery Director also supports out-of-the-box integration with Deep Discovery Analyzer, Deep Discovery Email Inspector, Deep Discovery Inspector, Deep Discovery Web Inspector, and Deep Discovery Director - Network Analytics. 2. What's New ======================================================================== This product release includes the following new features: Support for Linux-based Virtual Analyzer Images ----------------------------- Deep Discovery Director now supports deployment of Linux-based Virtual Analyzer images to managed Deep Discovery appliances. Centralized configuration of Network Asset settings ----------------------------- Deep Discovery Director now supports syncing of Network Asset settings to managed Deep Discovery Inspector and Deep Discovery Director - Network Analytics products. Network Analytics alert for Suspicious Objects ----------------------------- Deep Discovery Director can now send alert notifications when correlated events have been found for user-defined suspicious objects. Enhanced management console navigation ----------------------------- The "Domain Exceptions", "Priority Watch List", "Registered Domains", "Network Groups", and "Registered Services" Network Analytics settings can now be found under "Appliances > Network Assets". Network Analytics status information and data source configuration screens remain under "Administration > Network Analytics". 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to https://docs.trendmicro.com * Administrator's Guide: A PDF document that contains detailed instructions on how to configure and manage Deep Discovery Director, and explanations on Deep Discovery Director concepts and features. In this release, the document also contains information about requirements and procedures for planning deployment, installing Deep Discovery Director, and using the preconfiguration Console to set initial configurations and perform system tasks. * Syslog Content Mapping Guide: The Syslog Content Mapping Guide provides information about log management standards and syntaxes for implementing syslog events in Deep Discovery Director. * Automation API Guide: A PDF document that explains how to use Deep Discovery Director Automation APIs. * Online Help: Web-based documentation that is accessible from the Deep Discovery Director management console and provides explanations of components and features, as well as procedures needed to configure Deep Discovery Director. To access the Online Help, go to https://docs.trendmicro.com * Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to https://esupport.trendmicro.com 4. System Requirements ======================================================================== ----------------- Virtual appliance ----------------- Virtual machine with the following minimum specifications: * Hypervisor: VMware vSphere ESXi 6.0/6.5/6.7 or Microsoft Hyper-V in Windows Server 2016/2019 * Virtual machine hardware version: 8 * Guest operating system: CentOS Linux 6/7 (64-bit) or Red Hat Enterprise Linux 7 (64-bit) * Network interface card: 1 with E1000 or VMXNET 3 adapter * SCSI controller: LSI Logic Parallel * CPU: 1.8GHz (at least 2 cores) * Memory: 10GB * Hard disk: 150GB The minimum specifications are calculated using 30 days of detection log storage for 1 Deep Discovery appliance as basis. The CPU, memory, and hard disk requirements increase with the number of Deep Discovery appliances Deep Discovery Director is expected to aggregate detection logs from. For details, see the Recommended System Requirements topic in Chapter 2 of the Administrator's Guide. ------------------ Management console ------------------ * Google Chrome(TM) 46.0 or later * Mozilla(TM) Firefox(TM) 41.0 or later * Microsoft(TM) Internet Explorer(TM) 11.0 Recommended resolution: 1280 x 800 or higher 5. Installation or Upgrade ======================================================================== 1. See Chapter 2 of the Administrator's Guide for installation instructions. Important: Deep Discovery Director supports installation under either legacy Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI). * Changing the setting after installation causes Deep Discovery Director to be unable to boot. * Deep Discovery Director must be reinstalled to change the setting. 2. See the Firmware topic in Chapter 9 of the Administrator's Guide for upgrade instructions. Verify that there is 40GB free disk space before attempting to upgrade to Deep Discovery Director 5.3. Important: Deep Discovery Director 5.3 does not support integration with Deep Discovery Director - Network Analytics 3.0 servers and will remove those after the upgrade. Integrate with a new on-premises or software as a service version Deep Discovery Director - Network Analytics server to access advanced threat analysis. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. 7. Known Issues ======================================================================== The following are the known issues in this release: 1. Deep Discovery Director is unable to function correctly if the system is installed with multiple network adapters and if VMXNET is configured as the first adapter. Trend Micro recommends using a single network driver for all network interfaces. 2. Deep Discovery Director does not support the VMXNET 2 (Enhanced) network adapter. 3. Active Directory accounts without a User Principal Name (UPN) cannot be used to access the management console. 4. Deep Discovery Director only supports certificates with the following attributes: a. The file format is PEM. b. The certificate file by itself, or the certificate and the private key are in the same file. c. The private key uses the RSA algorithm and is not password-encrypted. d. The certificate digest uses SHA-256 or higher. e. A certificate chain is supported. 5. Deep Discovery Director is unable to connect to a global NTP server when proxy settings are configured. Use a local NTP server instead. 6. The status of plans that were "pending" or "in progress" at the time of a backup, but that have been completed successfully while restoring the backup, may display as "unsuccessful" after the backup is restored and Deep Discovery Director receives plan status updates from appliances. 7. Microsoft Internet Explorer is unable to connect to Deep Discovery Director because SHA512 is disabled in Windows. Apply the Microsoft Windows update to enable the signature and hash algorithm combination for RSA\SHA512 for the Transport Layer Security (TLS) 1.2 protocol. For details, see https://support.microsoft.com/en-us/kb/2973337 . 8. The number of results shown on the "Affected Hosts" screen after searching for a specific host name, and the number of results shown on the "Affected Hosts - Host Details" screen after drilling down may differ because drill downs always use the IP address. Host names are not unique, and multiple host names may be associated with one IP address. 9. Firefox users may see an internal error screen if an error occurs when attempting to view the Virtual Analyzer report of a detection. Use another web browser to navigate the management console. 10. When a system service has to be restarted to recover from an error, Deep Discovery Director may not be able to recover detection logs that were corrupted. 11. Tooltips that appear near the bottom of the screen may blink uncontrollably. 12. The file archivers built into Windows and macOS are be unable to extract files with very long file names from archive files generated by Deep Discovery Director. Use third-party archiving software to extract those files. 13. Archive Utility built into macOS is unable to extract files from archive files generated by Deep Discovery Director. Use third- party archiving software on macOS to extract those files. 14. Internet Explorer is unable to download archive files generated by Deep Discovery Director. Use another web browser to download those files. 15. Deep Discovery Director is unable to restore configuration settings and database from backup files that take longer than 5 minutes to upload. 16. Network and email security alerts may contain URLs in the body and the attached CSV file. Deep Discovery Director processes all URLs and replaces any "." with "[.]". This is done to prevent accidentally opening malicious URLs and flagging by antivirus programs on a user's computer. 17. When you enter two (00) or three (000) digit numbers as keywords to query MTA logs, the results may include entries where the timestamps match the keywords. 18. Deep Discovery Director is unable to install a firmware upgrade if free repository disk space is insufficient. Add extra available disk space to Deep Discovery Director before installing firmware upgrades. 19. The 'File and Network Activity' section of the Deep Discovery Director generated Virtual Analyzer Report for email message detections will look different from the Deep Discovery Email Inspector native Virtual Analyzer Report when the email messages have no-risk attachments. Deep Discovery Email Inspector does not include the information of no-risk items in the logs it sends to Deep Discovery Director. 20. Opening the PDF version of Virtual Analyzer Reports in a Chrome web browser may cause the hyperlinks in the 'Analysis Overview' section to be not clickable. Use the bookmarks to navigate, or open the PDF file in a PDF reader or another web browser. 21. Deep Discovery Director only sends trap messages for the status of the eth0 (management) port, even if multiple network interface cards are installed and port binding is configured. 22. When the Deep Discovery Director management console becomes unavailable because the system is powering off, restarting, undergoing maintenance, or other similar reasons, users that were logged on to the EUQ console will not be redirected to temporary status screens. A notification message informing them of the system status will be displayed instead. 23. Deep Discovery appliances are unable to send their logs to Deep Discovery Director if Deep Discovery Director and its host machine's system time are different. Configure Deep Discovery Director and its host machine to have matching system times and restart Deep Discovery Director to resolve the issue. 24. FTP active mode causes the client and server IP addresses to be reversed in the correlation data results. This issue results in Deep Discovery Director - Network Analytics as a Service identifying the wrong IP address as the Interested IP. 25. In Deep Discovery Director, you can configure a Synchronized Suspicious Object (VASO) to never expire. However, maximum data retention for Deep Discovery Director - Network Analytics as a Service is 180 days. The report of a VASO that never expires will be deleted after 180 days. Deep Discovery Director displays a report not found error when a user tries to open a report of a VASO that never expires and the VASO has existed for longer than the retention date. 26. Configuration changes will not be reflected on an existing correlation snapshot. When users want to view correlation events, they click on the "Correlated Data" icon in Deep Discovery Director to trigger the generation of the correlation data. In Deep Discovery Director - Network Analytics as a Service 5.0, a design change was made to save time for users waiting for the dynamic generation of the correlation data. In the design change, the correlation snapshot is generated prior to the user trigger. However, the side effect is that newly added configurations (such as adding the Trusted Internal Network List or Domain Exceptions list) won't be reflected in an already existing correlation snapshot. 27. Deep Discovery Director - Network Analytics as a Service is unable to display IPv6 Endpoint Analysis Report status. Currently Apex Central does not support an Endpoint Analysis Report query of an IPv6 target. 28. When a document is embedded inside a Word document, there are two SHA1s associated with the file - the SHA1 for the embedded document and the SHA1 for the parent document. When Deep Discovery Inspector (ATSE Engine) scans a file with an embedded document, Deep Discovery Inspector returns the SHA1 only for the parent document. In the Correlation Data screen, the SHA1 for the embedded document only contains zeros. Additionally, the embedded file will not be part of the correlations. 29. Deep Discovery Director 5.1 no longer supports SOCKS4/SOCKS5 protocol for proxy. The proxy setting will be disabled if SOCKS4 or SOCKS5 was selected before upgrading to Deep Discovery Director 5.1. Manually enable the proxy setting after upgrading. 30. The number of results shown on the "Email Messages" screen and the "Top Email Subjects" section of the Email Security report in Deep Discovery Director differ from the number of results shown in Deep Discovery Email Inspector because Deep Discovery Director's search is not case sensitive. 31. When viewing Virtual Analyzer Reports, clicking on a link in the "Notable Threat Characteristics" column of the "MITRE ATT&CK(TM) Framework Tactics and Techniques" section does not take you to the "Notable Threat Characteristics" section if the section is collapsed. Expand the section before clicking on a link in the "Notable Threat Characteristics" column. 32. Deep Discovery Director cannot connect to the Trend Micro Email Encryption Server when a proxy server that uses Digest or NTLM authentication is configured to connect to the Internet. Disable proxy settings or specify a non-Digest-/NTLM-authenticated proxy server to connect to the Internet. 33. When viewing PDF files generated by Deep Discovery Director that contain tables, the header row of a table may be separated from the data rows if the table appears at the bottom of a page. 34. The number of events displayed on the Triggered Alerts screen may differ from the number of records displayed on the Network Detections or Email Messages screens when drilling down from the Triggered Alerts screen because the related detection logs were not yet synced to Deep Discovery Director when the alert was triggered. 35. Deep Discovery Director displays a generic error message when users try to log on to the management console using single sign-on when the identity provider certificate has expired. Verify that identity provider related settings are valid in Deep Discovery Director, and that Okta and ADFS are configured correctly. 36. Internet Explorer 11 takes a long time to display the Dashboard screen after logging on to the management console. Use an alternate web browser such as Google Chrome or Mozilla Firefox instead. 37. The tutorial function for the Correlation Data screen does not work properly in Internet Explorer. Use an alternate web browser such as Google Chrome or Mozilla Firefox instead. 8. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2021, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro logo, Deep Discovery, and Deep Discovery Director are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed on the Deep Discovery Director web console.