If users select internal Virtual Analyzer for testing suspicious files that DDI encounters, three network types can be selected and the selected network type determines the Internet connectivity of Virtual Analyzer.
When Management network is used, internal Virtual Analyzer connects to the Internet using the DDI management port. If Custom network is selected, internal Virtual Analyzer could connect to the Internet via another data port.
Recommendation
Since suspicious files analyzed by internal Virtual Analyzer might also trigger some malicious traffics, for instance, connecting back to the command and control servers, those traffics would be intercepted and will trigger certain DDI rules. To easily identify those detections that are from the internal Virtual Analyzer, Trend Micro recommends:
- Setting up custom network and configuring a specific port for Virtual Analyzer traffic.
- Testing the Internet connectivity whenever new settings are saved.
Configuration
To configure a custom network for internal Virtual Analyzer:
-
On the Management console, go to Administration > Virtual Analyzer > Setup.
-
Tick the Submit files to Virtual Analyzer checkbox then specify another data port, IP, or proxy settings for the Internet connectivity of Virtual Analyzer.
-
Click Save.
