Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Top 10 rules that Thread Discovery Appliance (TDA) triggers

    • Updated:
    • 30 Jan 2015
    • Product/Version:
    • Threat Discovery Appliance 2.0
    • Threat Discovery Appliance 2.5
    • Platform:
    • Not Applicable N/A
Summary
This article enumerates the common rule IDs that TDA triggers and explains what the rules are about.
Details
Public
RulesRule IDDescription
Monitored client is connecting to an authorized service that presents a security risk52

Email message sent through a non-trusted SMTP server.

This rule is triggered when an internal host sends an email to an SMTP server that has not been registered in the TDA's registered services.

If malware-related, this can be a source of information leakage or a spam email being sent to public SMTP servers. However, this may be a common occurrence in the networks, where the use of a public SMTP server is allowed.

Use discretion when registering to TDA's registered services.

Monitored client is downloading a suspicious file1

Suspicious file extension for an executable file.

This rule is triggered when a host attempts to download a file that is determined to be executable, but has *.con, *.bat, *.pif or *.cmd extension.

These file extensions are commonly used to disguise malware.

Monitored client is downloading malware 

VSAPI

This rule is triggered when a malware that is detected by VSAPI is downloaded from the internet. In most cases, it is not accurate to assume that the user or machine has been infected, especially if an end-point solution is present.

Along with other rules, this event is sent to the cloud for correlation.

Hacking attempt38

Multiple logon failed.

This rule is triggered when a certain threshold of failed login attempts is reached. Numerous failed authentication attempts are a good indication of a malicious user or process trying to gain network access by performing password guessing.

Monitored client is hosting an unauthorized service that presents a security risk.40

Rogue service detected

This rule detects SMTP and DNS services that are not registered in TDA's registered services. It is usually best to confirm with the customer on these detections.

Rogue services are security risks in a corporate network as they are generally mismanaged. They also often lack compliance with the existing security policies.

Monitored client is receiving an email with a suspicious attachment.54

Email message contains an archive file with a packed executable file.

This rule is triggered when an email attachment contains a file detected by IntelliTrap.

Trend Micro's IntelliTrap detection technology heuristically identifies variants of known malware by detecting the use of popular compression application that hackers use to create them.

Monitored client is sending our suspicious email.29

SMTP Open-Relay access attempted.

This rule is triggered when an internal host or machine sends an SMTP email where neither the domain of the sender nor the recipient exists in TDA's registered domains. This is a common characteristic of spoof emails.

Email aliases are considered trusted for this rule. This requires that the admin adds all the email domain that their company uses into the TDA's registered domains. Use discretion when adding public domains.

Monitored client is receiving email with phishing link.72

Email contains a suspicious link to a possible phishing site.

This rule is triggered when the domain of the sender's email address matches our list of commonly-phished domains (e.g. Citibank, PayPal, eBay, etc.) and the message contains a hard-coded IP address in any form (integer, octal, hexadecimal, etc.).

Monitored client has a malware that is communicating to an external party.18

DNS query of known IRC Command and Control Server.

This rule is triggered when a DNS query is made for a domain that is present in our blacklist of known IRC C&C servers. This happens because “bots” that have hard-coded C&C domains need to obtain the IP address prior to establishing a TCP/IP connection.

The Internet Relay Chat (IRC) protocol is commonly used by malicious bots for communications.

C&C stands for Command & Control. C&C servers are used by bot masters to control botnets. Typically, a bot will contact these servers to receive instructions and updates, in this case, using the IRC protocol.

Monitored client is running IRC49

IRC protocol detected.

This rule is triggered when the IRC protocol is detected on an incoming or outgoing connection. This does not necessarily signify the presence of a “bot” and can simply be some users chatting via IRC.

Consult with the company policy if such activities are permitted. In any case, it is worth checking if there are other suspicious activities involving those hosts.

Premium
Internal
Rating:
Category:
Troubleshoot; Update
Solution Id:
1056400
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.