<> Trend Micro Incorporated April 2021 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Deep Discovery Director (Internal Network Analytics Version) Version 5.3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: https://docs.trendmicro.com/en-us/enterprise/deep-discovery-director.aspx Patch/SP release documentation: https://downloadcenter.trendmicro.com Contents ===================================================================== 1. About Deep Discovery Director 2. What's New 3. Documentation Set 4. System Requirements 5. Installation or Upgrade 6. Post-Installation Configuration 7. Known Issues 8. Contact Information 9. About Trend Micro 10. License Agreement ===================================================================== 1. About Deep Discovery Director ======================================================================== Trend Micro Deep Discovery Director is a management solution that enables the following for Deep Discovery Inspector, Deep Discovery Analyzer, and Deep Discovery Director (Standalone Network Analytics Mode) appliances: * Centralized deployment of hotfixes, critical patches, firmware, and Virtual Analyzer images * Configuration replication * Log aggregation * Realtime threat detection monitoring and correlation * Threat intelligence management and sharing 2. What's New ======================================================================== This product release includes the following new features: Support for Linux-based Virtual Analyzer Images ----------------------------- Deep Discovery Director now supports deployment of Linux-based Virtual Analyzer images to managed Deep Discovery appliances. Centralized configuration of Network Asset settings ----------------------------- Deep Discovery Director now supports syncing of Network Asset settings to managed Deep Discovery Inspector and Deep Discovery Director - Network Analytics products. Network Analytics alert for Suspicious Objects ----------------------------- Deep Discovery Director can now send alert notifications when correlated events have been found for user-defined suspicious objects. Enhanced management console navigation ----------------------------- The "Domain Exceptions", "Priority Watch List", "Registered Domains", "Network Groups", and "Registered Services" Network Analytics settings can now be found under "Appliances > Network Assets". Network Analytics status information and data source configuration screens remain under "Administration > Network Analytics". 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to https://docs.trendmicro.com * Administrator's Guide: A PDF document that contains detailed instructions on how to configure and manage Deep Discovery Director, and explanations on Deep Discovery Director concepts and features. In this release, the document also contains information about requirements and procedures for planning deployment, installing Deep Discovery Director, and using the preconfiguration Console to set initial configurations and perform system tasks. * Syslog Content Mapping Guide: The Syslog Content Mapping Guide provides information about log management standards and syntaxes for implementing syslog events in Deep Discovery Director. * Automation API Guide: A PDF document that explains how to use Deep Discovery Director Automation APIs. * Quick Start Card: The Quick Start Card provides user-friendly instructions on connecting Deep Discovery Director to your network and on performing initial configuration. * Online Help: Web-based documentation that is accessible from the Deep Discovery Director management console and provides explanations of components and features, as well as procedures needed to configure Deep Discovery Director. To access the Online Help, go to https://docs.trendmicro.com * Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to https://esupport.trendmicro.com * Installation and Deploymet Guide: The Installation and Deployment Guide contains information about requirements and procedures for planning deployment, installing Deep Discovery Director, and using the Preconfiguration Console to set initial configurations and perform system tasks. 4. System Requirements ======================================================================== ----------------- Hardware appliance ----------------- See the Installation and Deployment Guide for a list of system requirements. ----------------- Virtual appliance ----------------- Virtual machine with the following minimum specifications: * Hypervisor: VMware vSphere ESXi 6.0/6.5/6.7 or Microsoft Hyper-V in Windows Server 2016/2019 * Virtual machine hardware version: 8 * Guest operating system: CentOS Linux 6/7 (64-bit) or Red Hat Enterprise Linux 7 (64-bit) * Network interface card: 1 with E1000 or VMXNET 3 adapter * SCSI controller: LSI Logic Parallel * CPU: 1.8GHz (at least 8 cores) * Memory: 24GB * Hard disk: 300GB The minimum specifications are calculated using 30 days of detection log storage for 1 Deep Discovery appliance as basis. The CPU, memory, and hard disk requirements increase with the expected throughput for Deep Discovery Director and with the number of Deep Discovery appliances Deep Discovery Director is expected to aggregate detection logs from.. For details, see the Recommended System Requirements topic in Chapter 2 of the Administrator's Guide. ------------------ Management console ------------------ * Google Chrome(TM) 46.0 or later * Mozilla(TM) Firefox(TM) 41.0 or later * Microsoft(TM) Internet Explorer(TM) 11.0 Recommended resolution: 1280 x 800 or higher 5. Installation or Upgrade ======================================================================== ----------------- Hardware appliance ----------------- 1. See the Quick Start Card and and Chapter 2 of the Installation and Deployment Guide for installation instructions. 2. See the Firmware topic in Chapter 9 of the Administrator's Guide for upgrade instructions. ----------------- Virtual appliance ----------------- 1. See Chapter 2 of the Administrator's Guide for installation instructions. Important: Deep Discovery Director supports installation under either legacy Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI). * Changing the setting after installation causes Deep Discovery Director to be unable to boot. * Deep Discovery Director must be reinstalled to change the setting. 2. See the Firmware topic in Chapter 9 of the Administrator's Guide for upgrade instructions. Verify that there is 40GB free disk space before attempting to upgrade to Deep Discovery Director 5.3. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. 7. Known Issues ======================================================================== The following are the known issues in this release: 1. Deep Discovery Director is unable to function correctly if the system is installed with multiple network adapters and if VMXNET is configured as the first adapter. Trend Micro recommends using a single network driver for all network interfaces. 2. Deep Discovery Director does not support the VMXNET 2 (Enhanced) network adapter. 3. Active Directory accounts without a User Principal Name (UPN) cannot be used to access the management console. 4. Deep Discovery Director only supports certificates with the following attributes: a. The file format is PEM. b. The certificate file by itself, or the certificate and the private key are in the same file. c. The private key uses the RSA algorithm and is not password-encrypted. d. The certificate digest uses SHA-256 or higher. e. A certificate chain is supported. 5. Deep Discovery Director is unable to connect to a global NTP server when proxy settings are configured. Use a local NTP server instead. 6. The status of plans that were "pending" or "in progress" at the time of a backup, but that have been completed successfully while restoring the backup, may display as "unsuccessful" after the backup is restored and Deep Discovery Director receives plan status updates from appliances. 7. Microsoft Internet Explorer is unable to connect to Deep Discovery Director because SHA512 is disabled in Windows. Apply the Microsoft Windows update to enable the signature and hash algorithm combination for RSA\SHA512 for the Transport Layer Security (TLS) 1.2 protocol. For details, see https://support.microsoft.com/en-us/kb/2973337 . 8. The number of results shown on the "Affected Hosts" screen after searching for a specific host name, and the number of results shown on the "Affected Hosts - Host Details" screen after drilling down may differ because drill downs always use the IP address. Host names are not unique, and multiple host names may be associated with one IP address. 9. Firefox users may see an internal error screen if an error occurs when attempting to view the Virtual Analyzer report of a detection. Use another web browser to navigate the management console. 10. When a system service has to be restarted to recover from an error, Deep Discovery Director may not be able to recover detection logs that were corrupted. 11. Tooltips that appear near the bottom of the screen may blink uncontrollably. 12. The file archivers built into Windows and macOS are be unable to extract files with very long file names from archive files generated by Deep Discovery Director. Use third-party archiving software to extract those files. 13. Archive Utility built into macOS is unable to extract files from archive files generated by Deep Discovery Director. Use third- party archiving software on macOS to extract those files. 14. Internet Explorer is unable to download archive files generated by Deep Discovery Director. Use another web browser to download those files. 15. Deep Discovery Director is unable to restore configuration settings and database from backup files that take longer than 5 minutes to upload. 16. Network security alerts may contain URLs in the body and the attached CSV file. Deep Discovery Director processes all URLs and replaces any "." with "[.]". This is done to prevent accidentally opening malicious URLs and flagging by antivirus programs on a user's computer. 17. Deep Discovery Director is unable to install a firmware upgrade if free repository disk space is insufficient. Add extra available disk space to Deep Discovery Director before installing firmware upgrades. 18. Opening the PDF version of Virtual Analyzer Reports in a Chrome web browser may cause the hyperlinks in the 'Analysis Overview' section to be not clickable. Use the bookmarks to navigate, or open the PDF file in a PDF reader or another web browser. 19. Deep Discovery Director only sends trap messages for the status of the eth0 (management) port, even if multiple network interface cards are installed and port binding is configured. 20. Deep Discovery appliances are unable to send their logs to Deep Discovery Director if Deep Discovery Director and its host machine's system time are different. Configure Deep Discovery Director and its host machine to have matching system times and restart Deep Discovery Director to resolve the issue. 21. Deep Discovery Director 5.1 no longer supports SOCKS4/SOCKS5 protocol for proxy. The proxy setting will be disabled if SOCKS4 or SOCKS5 was selected before upgrading to Deep Discovery Director 5.1. Manually enable the proxy setting after upgrading. 22. When viewing Virtual Analyzer Reports, clicking on a link in the "Notable Threat Characteristics" column of the "MITRE ATT&CK(TM) Framework Tactics and Techniques" section does not take you to the "Notable Threat Characteristics" section if the section is collapsed. Expand the section before clicking on a link in the "Notable Threat Characteristics" column. 23. When viewing PDF files generated by Deep Discovery Director that contain tables, the header row of a table may be separated from the data rows if the table appears at the bottom of a page. 24. The number of events displayed on the Triggered Alerts screen may differ from the number of records displayed on the Network Detections or Email Messages screens when drilling down from the Triggered Alerts screen because the related detection logs were not yet synced to Deep Discovery Director when the alert was triggered. 25. Deep Discovery Director displays a generic error message when users try to log on to the management console using single sign-on when the identity provider certificate has expired. Verify that identity provider related settings are valid in Deep Discovery Director, and that Okta and ADFS are configured correctly. 26. Internet Explorer 11 takes a long time to display the Dashboard screen after logging on to the management console. Use an alternate web browser such as Google Chrome or Mozilla Firefox instead. 27. Deep Discovery Director - Network Analytics is unable to display IPv6 Endpoint Analysis Report status. Currently Apex Central does not support an Endpoint Analysis Report query of an IPv6 target. 28. The tutorial function for the Correlation Data screen does not work properly in Internet Explorer. Use an alternate web browser such as Google Chrome or Mozilla Firefox instead. 8. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2021, Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro logo, Deep Discovery, and Deep Discovery Director are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed on the Deep Discovery Director web console.