Advanced Reporting and Management for InterScan TM Web Security1

(1)

and Management

for InterScan

TM

Web Security

1 Web Management Simplified

(2)

(3)

documentation, which are available from the Trend Micro Web site at: http://www.trendmicro.com/download

Trend Micro, the Trend Micro t-ball logo, Damage Cleanup Services, InterScan, TrendLabs, Web Security Suite, Web Security Appliance, Web Security Virtual Appliance, are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Release Date: January 2011

(4)

read through it prior to installing or using the software.

Detailed information about how to use specific features within the software are available in the online help file and the Knowledge Base at Trend Micro Web site.

Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

(5)

Preface

Advanced Reporting and Management Documentation ... iv-xiv Audience ...xiv Document Conventions ...xv

Chapter 1: Overview

Introducing ARM ... 1-2 The Difference between Logs and Reports ... 1-2 Reporting Capabilities ... 1-2 Centralized Reporting ... 1-3 GUI-based and Custom Reporting ... 1-3 Central Policy Management ... 1-3 Features and Benefits ... 1-4 Screen Display ... 1-4 Navigation ... 1-6 New in this Release ... 1-7

Chapter 2: Getting Started

(6)

Default Report Categories ...2-8 Network Utilization ...2-9 Device Health ...2-10 Top 10 Live Statistics ...2-12 Live Activity Monitor ...2-14 URL and Malware Trending ...2-14 Using the Dashboard ...2-15 Chart Type Combinations ...2-15 Configuring the Dashboard Settings ...2-17 Configuring Live Activity Monitoring Filters ...2-19 Threat Resources ...2-24

Chapter 3: Reports

(7)

Deleting a Report Template ... 3-75 Scheduled Reports ... 3-76 Anonymous Reporting for Scheduled Reports ... 3-76 Scheduled Daily Reports ... 3-77 Setting up Scheduled Daily Reports ... 3-78 Saved Daily Reports ... 3-79 Scheduled Weekly Reports ... 3-79 Setting up Scheduled Weekly Reports ... 3-80 Saved Weekly Reports ... 3-82 Scheduled Monthly Reports ... 3-82 Setting up Scheduled Monthly Reports ... 3-83 Saved Monthly Reports ... 3-84 Settings ... 3-85 Custom Reports ... 3-86 Managing Custom Reports ... 3-87 Generating Custom Reports ... 3-87 Generating Scheduled Custom Reports ... 3-88

Chapter 4: Logs

(8)

Chapter 5: Gateway Devices

Registering Devices ...5-2 Registering InterScan Web Security Products with ARM ...5-2 Registering a Standalone IWSx Server ...5-3 Important Information About Working with HA pairs ...5-12 Registering an IWSVA HA Pair Member ...5-12 Performance Considerations ...5-15 Server Farm Support in ARM ...5-16 Retaining IWSVA 5.0 Logs When Upgrading to IWSVA 5.1 Devices ....

5-17

Manually Registering ARM with InterScan Web Security Products 5-18 Reverting Back to the IWSx Database ...5-23 Deactivating and Reverting to the IWSx Database Automatically ...

5-24

Manual Deactivation: Reverting to the IWSx Database Manually ... 5-27

(9)

Chapter 6: Administration

(10)

Network Configuration ...6-33 System Time ...6-35 Manually Setting the System Time ...6-35 Setting the Time Zone ...6-36 Automatically Setting the System Time ...6-36

Chapter 7: Command Line Interface Commands

CLI Command Overview ...7-2 Accessing the Privileged CLI Mode ...7-2 Accessing the OS Shell ...7-3 ARM CLI Commands ...7-4

Appendix A: Using iReport with ARM

(11)

Appendix B: Refresh Rate Configurations

Refresh Rate Overview ...B-2 Configuring ARM’s Data Insertion Frequency ...B-2 Flushing Log Entries to ARM ...B-4 Configuring the IWSx Logging Frequency ...B-4 Enabling Access Logging and Modifying the Database Update Interval

B-5

Modifying the Metric Daemon Logging Intervals ...B-6

Appendix C: Contact Information and Web-based Resources

Contacting Technical Support ...C-2 Enterprise and Small & Medium Business ...C-2 Toll-free phone support: ...C-3 Global Support ...C-3 ARM Core Files for Support ...C-4 Knowledge Base ...C-4 Sending Suspicious Code to Trend Micro ...C-4 TrendLabs ...C-5 Security Information Center ...C-7 TrendEdge ...C-9

Appendix D: Mapping File Types to MIME Content-types

File and MIME Types ...D-2

Appendix E: Restarting the IWSx Local Database

Overview ...E-2 Restarting the IWSx Local Database to Resolve Connection Issues ...E-2

Appendix F: Recovering From Fatal Malfunctions or IP

(12)

(13)

Preface

Welcome to the Trend Micro™ Trend Micro Advanced Reporting and Management

Administrator’s Guide. This book contains information about product settings and service

levels.

This preface describes the following topics:

• Advanced Reporting and Management Documentation on page xiv • Audience on page xiv

(14)

Advanced Reporting and Management

Documentation

The Trend Micro Advanced Reporting and Management (ARM) documentation consists of the following:

Online Help: Helps you configure all features through the user interface. You can

access the online help by opening the Web console and then clicking the help icon

Administrator’s Guide: Helps you plan for deployment and configure all product

settings

Installation Guide: Help you install, configure and get started with the product Readme File: Contains late-breaking product information that might not be found in

other documentation. Topics include a description of features, installation tips, known issues, and product release history

The Administrator’s Guide, Installation Guide, and readme are available at:

http://www.trendmicro.com/download

Audience

The ARM documentation is written for IT managers and system administrators working in a medium or large enterprise environment. The documentation assumes that the reader has in-depth knowledge of networks schemas, including details related to the following:

• Basic SQL query knowledge • Database configuration

(15)

Document Conventions

To help you locate and interpret information easily, the ARM documentation uses the following conventions.

CONVENTION DESCRIPTION

ALL CAPITALS Acronyms, abbreviations, and names of

cer-tain commands and keys on the keyboard

Bold Menus and menu commands, command

but-tons, tabs, options, and ScanMail tasks

Italics References to other documentation

Monospace Examples, sample command lines, program

code, Web URL, file name, and program out-put Note: Configuration notes Tip: Recommendations WARNING!

(16)

(17)

Overview

This chapter offers an introduction to Trend Micro Advanced Reporting and Management (ARM), screen navigation tips, and examples of report displays. Topics include:

(18)

Introducing ARM

Trend Micro Advanced Reporting and Management (ARM) provides customers with a high-performance, off-box reporting solution. ARM is based on new advanced database technology which greatly enhances the current InterScan Web Security product reporting capabilities and provides advanced features, such as dynamic dashboard, drill-down reporting, custom reporting and real-time, problem-solving capabilities. Supported InterScan Web Security products (IWSx) include:

• InterScan Web Security Appliance (IWSA) 3.1 SP1 • InterScan Web Security Suite (IWSS) 3.1 Linux • InterScan Web Security Virtual Appliance (IWSVA) 3.1 • InterScan Web Security Virtual Appliance (IWSVA) 5.0 • InterScan Web Security Virtual Appliance (IWSVA) 5.1 • InterScan Web Security Virtual Appliance (IWSVA) 5.1 SP1

Note: In this document, IWSVA 5.x refers to IWSVA 5.0 and later versions.

The Difference between Logs and Reports

Logs can give very detailed information about events, but the format can be prohibitive. You would need to wade through a vast amount of information to find the summary details you want. Reports present log details in an easy-to-read fashion, usually using charts and graphs, that allow you to find and interpret the data you need quickly.

Reporting Capabilities

ARM provides rapid report generation that is not possible with standard SQL databases. ARM allows you to customize the dashboards and obtain real-time report statistics with full drill-down capabilities, giving you the ability to fully manage and troubleshoot malware issues in real time.

(19)

ARM tracks, compiles, and makes your data available to you in real time and allows you to access reports anywhere by logging in.

Centralized Reporting

Enterprise customers with multiple InterScan Web Security units require centralized reporting and statistics. ARM allows multiple InterScan Web Security products to connect to an advanced PostgreSQL database used by ARM. This redirection allows for truly centralized statistical analysis and provides accurate information for a specific geographical region or for an entire organization.

You can reconfigure the InterScan Web Security products to use the ARM database as the reporting database for InterScan Web Security products. With the ARM custom reporting feature, you no longer need to define and support custom SQL databases and scripts. However, you can create your own custom reports using the iReport™

application.

GUI-based and Custom Reporting

ARM acts as a presentation layer for new capabilities, such as dynamic dashboarding, real-time reporting, drill-down reporting, column sorting and others.

With the ARM custom reporting feature, you can fully support yourself for new reports. ARM is compatible with the iReport application, which allows you to construct the queries you need based on the tables in the ARM database.

Central Policy Management

ARM provides a mechanism for users with multiple supported InterScan Web Security devices to centrally manage policies among InterScan Web Security units.

(20)

Features and Benefits

ARM provides a centralized reporting and policy management solution that provides: • Instant reporting capabilities for IWSA 3.1 SP1, IWSS 3.1 Linux, IWSVA 3.1 and

IWSVA 5.x pre-canned report types to eliminate or reduce reports that take many hours to complete

• Centralized logging and reporting for multiple InterScan Web Security product units • Custom reporting with GUI interface for fast report creation, using iReport • Real-time, historic, and ad hoc reporting capabilities

• Dynamic dashboard for true Network Operation Center (NOC) monitoring • Ability to troubleshoot with drill-down reporting

• Central policy and configuration management and synchronization between multiple managed InterScan Web Security product units

• Reports about ARM’s CPU, memory, and disk space usage • Notifications about ARM’s disk space usage

• Ability to create anonymous reports to prevent user identification information from being displayed in reports

Screen Display

When a user first logs into ARM, users see the default report settings (without data) for the dashboard, which include:

• Current Connections • Top 10 URL Categories

• Top 10 Users for Malicious URLs • Top 10 Virus and Spyware

When a user first logs into ARM, it is important to: • Activate the license

• Register InterScan Web Security products

(21)

After completing these steps, ARM displays a status dashboard with configurable components that provides a high-level view of the statistics you need the most. (See

Figure 1-1.)

Note: The status dashboard displays after logging in providing:

- The InterScan Web Security products are registered with ARM. - The dashboard settings have been configured.

- There is a stream of data being imported from IWSX units.

- Access logging is enabled on IWSx units for certain types of dashboards.

(22)

Navigation

Use the left menu for navigation. (See Figure 1-2.)

FIGURE1-2. Left Menu

Table 1-1 lists each menu item and provides a description about what it accesses.

TABLE 1-1. ARM Menu Items

MENU ITEM ACCESSES

Dashboard Link to Dashboard Settings and Threat Resources

Reports Quick Reports

Scheduled Reports:

• Includes: Daily, Weekly, Monthly, and Settings

Report Templates Custom Reports

Logs Log Query

(23)

New in this Release

This product release introduces the following new features and enhancements:

Gateway Devices Device Registration

Device Grouping Device Management Setting Replication

Administration ARM Configuration:

• Includes: SMTP IP address settings

Management Console:

• Includes: Account Administration

System Maintenance:

• Includes: Config Backup/Restore, System Patch,

Update OS, and Support Notifications

Product License

Password Change password

TABLE 1-2. New in ARM 1.0 Service Pack 3

WHAT’S NEW DESCRIPTION

IWSVA 5.1 High Avail-ability Mode Support

Supports IWSVA High Availability (HA) mode where two IWSVA devices are registered as an HA pair in ARM. For details of HA mode in ARM, see Registering an IWSVA HA Pair Member on page 5-12.

TABLE 1-1. ARM Menu Items

(24)

Enhanced Replication This feature gives the administrator the option to rep-licate policies and configurations from a source IWSx device to one or more destination IWSx device on a manual or recurring basis. For details, see Replication Settings on page 5-39.

TABLE 1-2. New in ARM 1.0 Service Pack 3

(25)

Getting Started

This chapter describes the essential features needed to get up and running with Trend Micro Advanced Reporting and Management (ARM).

Topics include:

• Accessing ARM starting on page 2-2

• Prerequisites to Getting Started starting on page 2-4 • Dashboard Overview starting on page 2-5

(26)

Accessing ARM

Information about installing Trend Micro Advanced Reporting and Management (ARM) is available in the ARM Installation Guide. Chapter 1 of the ARM Installation Guide also contains the recommended server requirements.

After installation, you need to know the IP address of the machine where ARM is installed to complete the following procedure.

To access and log into ARM:

1. Go to https://<ip address>:<port number>/ The default port number is 8443.

2. Enter the username and password.

Note: The initial default “admin” account password is set during the installation of

ARM. 3. Select Login.

Note: Using an IWSx proxy between ARM GUI management console and ARM host

machine causes IWSx to scan the content in this network topology. This prevents information about the Device Group from being accessible from the Quick Reports and Log Query pages. Generation of quick reports and logs is prevented because the device group data is invalid.

There are two ways to provide a workaround to exclude the ARM host from being scanned by the IWSx proxy device:

1. Add <IP_address_of_ARM_host>:8443 (the ARM host IP address and port number) to the IWSx trusted URL white list to allow IWSx to bypass scanning the traffic contents coming from the ARM host machine.

(27)

Logging in

Your user name and password denote your permissions level, which determines the functions you can access and perform with ARM. ARM has three levels of users. (See Table 2-1.)

See Account Administration for more information about creating accounts and user permissions levels.

Command Line Access

ARM provides a Command Line Interface (CLI) to allow configuration of the appliance using an industry standard CLI syntax. The CLI offers additional commands and functionality to manage, troubleshoot, and maintain ARM. The CLI can be accessed using a local console keyboard and monitor or remotely through SSHv2. By default, SSH is disabled on the ARM server for security purposes. You can enable SSH access using the “enable ssh” command from the CLI privileged mode.

For more information, see: CLI Command Overview.

TABLE 2-1. User Levels in ARM

USER TYPE PERMISSIONS

Administrator Can access and configure all ARM functions and

pro-duce reports

Auditor Can view configuration and produce pre-defined

reports

Reports only Can create report templates and schedule and run

(28)

Prerequisites to Getting Started

After installing and logging into the ARM console, complete the following procedures to display InterScan Web Security data:

Note: Be aware that refreshing your browser logs you out of the ARM Web console.

• License and activate the product at Administration > Product License > New

Activation Code.

See: Product License

• Register IWSx devices and creating the necessary Device Groups See: Registering Devices

• Point the database of your InterScan Web Security Product (IWSS, IWSA, or IWSVA) to ARM

See: Manually Registering ARM with InterScan Web Security Products

• Set the System Time and Time Zone

See: Manually Setting the System Time and Setting the Time Zone

Note: The time zone is set during installation, but can be changed. The date and time

must be synchronized between ARM and the registered InterScan Web Security products. Trend Micro highly recommends using an NTP server to synchronize the date and time.

• Create additional administration accounts See: Account Administration

• Set up the SMTP email server settings for notifications and scheduled report emails See: SMTP Settings and Scheduled Reports

(29)

Other optional settings to configure after installation:

• Set up a dashboard view with desired components to monitor critical activity. See: Dashboard Overview

• Set up reporting templates for scheduled reports and configure daily, weekly, monthly scheduled report profiles

See: Report Templates, Scheduled Reports, and Custom Reports

• Set up the Manage Log Setting parameters to groom and offload historical data See: Log Settings

• Enable SSH remote access through the CLI See: Accessing the Privileged CLI Mode

• Set up anonymous logging in Device Management. See: Anonymous Logging

• Create replication rules for IWSx device configurations and policies. See: Replication Settings

Dashboard Overview

The ARM Dynamic Dashboard provides flexibility in monitoring critical components of the Web security gateway, while offering a central reporting solution that is

customizable. ARM allows network operation centers the ability to proactively monitor network and specific types of activity occurring on their InterScan Web security gateway devices. Leveraging the ARM dashboard capabilities, NOC administrators can

(30)

Viewing the Dynamic Dashboard

When you log on to ARM, the initial view is the Dynamic Dashboard. (See Figure 2-1.)

FIGURE2-1. ARM Dynamic Dashboard

The Dynamic Dashboard offers the ability to:

• Create new dashboard views for tracking specific information

• Move between dashboard components to activate other features within the dashboard window, such as drill-down reporting for ad-hoc reporting • Sort information within the dashboard component views

(31)

• Support the drill-down capability to quickly isolate information for problem shooting

• Distinguish when ARM communicates with the IWSx unit. A green dot displays in the upper left corner of each dashboard when ARM performs a data refresh. The dot displays red when the refresh completes.

Dynamic Dashboard Components

Dynamic dashboard components include reports, statistics, and activity displayed in a dashboard component window. At any time, you can select up to 24 dashboard components to display simultaneously in real time.

You can specify how the component windows are to be laid out on the dashboard in one of the following format:

• Grid - organizes the dashboard components in a two (or more) column grid based on the resolution of the display

• 2 columns - organizes the dashboard components in a two-column layout • Vertical - organizes the dashboard components in a layout from top to bottom • Horizontal - organizes the dashboard components in a layout from left to right The user can also:

• Configure the polling or refresh interval for the live dashboard screen and

components. For example, the default refresh occurs every 60 seconds, but it can be configured to refresh every 1-99 seconds

• Customize the dashboard components timeline duration in seconds, minutes, or hours

(32)

• Configure the chart type. The options are: • Table

• Pie • Bar

• HBar (Horizontal Bar) • Line

Note: Various dashboard report types, such as Total Bandwidth and Current

Connections, can display multiple chart types simultaneously. See Chart Type Combinations for more information.

Default Report Categories

Dynamic Dashboard components offer reports in the following five categories: • Network Utilization

• Device Health

• Top 10 Live Statistics

• Live Activity Monitor

• URL and Malware Trending

Note: Occasionally the “Unknown” value displays in some report results when the

(33)

Network Utilization

Table 2-2 shows the default network utilization reports. Report names preceded by an asterisk (*) require URL Access logging to be enabled on the IWSx device.

Note: If you set various Network Utilization dynamic dashboards types with high refresh

rates (lower unit in seconds), the results returned may have decreased relevance due to the lack of data points. It creates many small instances of time per events that do not actually exist. It is best to adjust the dashboard refresh rate by trial and error, since there is no absolute rule due to variations in network environments. The rate at which IWSx sends information to ARM can be increased. See Refresh Rate Overview.

TABLE 2-2. Network Utilization Reports

REPORT DESCRIPTION

Bytes Transmitted Inbound

Displays bandwidth (KB) used per time segment for the bytes transmitted for inbound HTTP and FTP traf-fic to InterScan Web Security products.

Bytes Transmitted Outbound

Displays bandwidth (KB) used per time segment for the bytes transmitted for outbound HTTP and FTP traffic from InterScan Web Security products.

Current Connections Displays the number of connections per time

seg-ment for the current connections open in InterScan Web Security units.

Daily Cumulative Activity

Displays cumulative information on events per sec-ond on the last 24 hours, automatically resetting at midnight (00:00:00).

Note: This report resets the number of events

(34)

Device Health

Table 2-3 shows the default device health reports.

*Events per Second Displays information about the number of URL events

per second traversing the InterScan Web Security products.

Hit Count Displays information about the number of hits for a

time segment in InterScan Web Security products for the selected item being measured.

Total Bandwidth Displays statistics for both inbound and outbound

HTTP and FTP traffic

TABLE 2-3. Device Health Reports

REPORT NAME DESCRIPTION

ARM Device CPU Utilization

Displays the CPU utilization from ARM.

ARM Device Disk Utilization

Displays the disk space utilization from ARM.

ARM Device Mem-ory Utilization

Displays the memory utilization from ARM.

IWSx Device Resource Utilization

Displays the CPU and memory utilization from IWSx.

TABLE 2-2. Network Utilization Reports

(35)

For the device health reports for ARM (CPU, disk, and memory utilization), the refresh

rates and timeline durations reflected on the page have been set by Trend Micro for

best performance and granularity. The values cannot be configured at will from the page because they depend on certain settings configured in the backend.

• The refresh rate depends on the data insertion frequency.

ARM’s resource monitor backend service collects ARM’s CPU, disk, and memory utilization data and then inserts the data into the ARM database so that device health reports can be generated. How often the service inserts data is controlled by the data insertion frequency, which can only be configured from ARM’s backend configuration file.

To modify the data insertion frequency, follow the procedure in Configuring ARM’s Data Insertion Frequency.

(36)

Top 10 Live Statistics

Table 2-4 shows the reports about the top ten live statistics reports. Report names preceded by an asterisk (*) require URL Access logging to be enabled on the IWSx device.

TABLE 2-4. Top Ten Live Statistics Reports

IntelliTunnel Statis-tics

Displays information about traffic blocked by Intelli-Tunnel.

Live Security Risk Report

Displays information about live security risks for the current day, automatically resetting at midnight (00:00:00). It offers the option of drilling down to the details that made up the threat type. It shows com-piled data about the following elements:

• Malware Category

• Spyware/Grayware Category

• Pharming & Phishing

• Unauthorized Web Access

• Instant Messaging—text

Note: This report resets the number of events

shown on a daily basis.

The drill-downs on this report drill down against historical data. The data does not refresh, since the historical data does not change.

*Top 10 Active Users by Bandwidth

Displays information about the top ten most active users by bandwidth usage, with the option of drilling down to recent activity.

*Top 10 Active Users by Hits

(37)

*Top 10 Active Users by Time Duration

Displays information about the top ten most active users by time duration, with the option of drilling down to recent activity.

*Top 10 Download Transfers

Displays information about the top ten most popular download transfers, with the option of drilling down to specific users.

Top 10 Popular URLs Displays information about the top ten most popular

URLs, with the option of drilling down to specific users.

*Top 10 URL Catego-ries

Displays information about the top ten URL catego-ries with the option of drilling down to the URL, and from URL to the user.

Note: A valid URL filtering license must be applied

on the IWSx machines to obtain category data.

*Top 10 Upload Transfers

Displays information about the top ten most popular upload transfers, with the option of drilling down to specific users.

Top 10 Violations Displays information about the top ten violations, with

the option of drilling down to specific users.

TABLE 2-4. Top Ten Live Statistics Reports

(38)

Live Activity Monitor

These reports allow administrators to set up filters to keep a live, real-time monitoring window on specific activity. A maximum number of four filtered dashboard components can be displayed. The asterisk (*) indicates that the Live Activity Monitor requires URL Access logging to be enabled on the IWSx device.

Users may perform filtering on the following items: • Username • Source IP address • Web site • Domain • Destination IP address • Filename • Mime type

See Configuring Live Activity Monitoring Filters for more information.

URL and Malware Trending

Table 2-5 shows information about URL and Malware trending.

TABLE 2-5. URL and Malware Trending

Top 10 Blocked URL Categories

Displays information about the top 10 URL categories that were blocked, with the option of drilling down to the URL in question.

Top 10 Blocked URLs Displays information about the top 10 URLs that were

blocked, with the option of drilling down to specific users.

Top 10 Riskiest URLs by Virus Detected

(39)

Using the Dashboard

You can customize how your data is displayed in the dynamic dashboard. You can set the time duration for data timeline as well as configuration multiple tabs with the dashboard components you need.

Chart Type Combinations

Various dashboard report types, such as Total Bandwidth and Current Connections, can display multiple chart types simultaneously. See Table 2-6.

Top 10 Spyware and Grayware

Displays information about the top 10 spyware/gray-ware URLs with the option of drilling down to a spe-cific user.

Top 10 Users for Malicious URLs

Displays information about the top 10 users of mali-cious URLS, with the option of drilling down to URLs in question.

Top 10 Virus and Spyware

Displays outbound and inbound traffic information with the option of drilling down to log event details

Total Violation Count Displays information about the total violation count

with the option of drilling down to the details of spe-cific violations.

Virus and Spy-ware-Grayware Trend

Displays information about virus and spyware trends with the option of drilling down to log event details for duration displayed.

TABLE 2-5. URL and Malware Trending

(40)

The table shows whether two chart types can be displayed together. This situation can occur after the user generates a dashboard and right-clicks on a dashboard to change a view. Depending on the dashboard component, there may be one or more series displayed (such as # of HTTP connections and # of FTP connections). A user can select a specific chart type for each series. If a user selects different chart types for each series, the table defines which chart types are compatible.

• Supported means it will work together.

• Unsupported means that the combination will not render.

• Priority-Selection means the combination will show only one of the two selected

chart types.

TABLE 2-6. Chart Type Combinations

HBAR BAR TABLE PIE LINE

HBAR Supported Unsupported Priority-

Selection

Priority- Selection

Unsupported

BAR Unsupported Supported Priority-

Selection Priority- Selection Priority- Selection TABLE Priority- Selection Priority- Selection Sup-ported Priority- Selection Priority- Selection PIE Priority- Selection Priority- Selection Priority- Selection Supported Priority- Selection

LINE Unsupported Priority-

(41)

Configuring the Dashboard Settings

The dashboard has several options that allow it to see the data you want in the display format that you prefer.

Note: DO NOT select more than six dashboard components per tab as this will reduce the

visibility and require additional scrolling. The more dashboard components displayed, the more CPU and memory ARM will use. The maximum number of dashboard tabs is four, and the maximum number of dashboards being generated on a single web-browser per ARM device should not exceed 24 total dashboards. If multiple administrators access ARM, the number of dashboards occurrences between all administrators must not exceed 24.

Certain dashboards on the Dashboard Settings page, designated with an asterisk ( * ), require access logging to be enabled on IWSx to display them.

To configure your dashboard setting: 1. Log into the ARM Web console.

2. To display new information, do one of the following:

• To display information in the Dashboard tab, go to Dashboard and click the

Settings link.

• To display information in new tab, click the plus (+) sign in the next tab and enter your settings in the settings pages. Dashboard settings will be saved when you exit.

3. Update the name of the existing dashboard, if needed or type a new name, such as

(42)

4. Select the device group or ALL from the Device Group drop-down list and/or

select the IP address of the appliances to monitor.

Note: Select additional servers from the appliance list, if needed. For example, you

might select a device group from the Device Group drop-down list, then select an additional unit from the Appliances list.

The default refresh rate on the Dynamic Dashboard is 60 seconds. If a server or appliance is deleted from Gateway Devices > Device Registration, the deleted unit may still display in the Device Group and/or Appliances list until the Dynamic Dashboard refreshes.

The device health reports for ARM (CPU, disk, and memory utilization) are unique in that these are currently the only reports that show data returned by ARM. The rest of the reports show data returned by IWSx servers. If you are only interested in ARM device health reports, you do not need to select a device group because device group only includes IWSx servers and not ARM.

5. To display reports in the Network Utilization, Device Health, Top 10 Live Statistics, and

URL and Malware Trending categories, do the following:

a. Select the check box by the report name

b. If necessary, set the refresh rate (in seconds) and the timeline duration (in

seconds, minutes, and hours). Timeline duration is the amount of time that the data should be displayed for that report

Tip: Trend Micro recommends using a refresh rate of 30 seconds or higher, and

setting a timeline duration of 10 minutes or higher.

Note: For the device health reports for ARM (CPU, disk, and memory utilization)

under Device Health, the default refresh rates and timeline durations reflected on the page have been set by Trend Micro for best performance and granularity. To change the default values, you will need to configure

(43)

c. Select the display format, such as pie chart, line chart, and so on d. Select Generateat the bottom of the screen

6. For the Live Activity Monitor category, see Configuring Live Activity Monitoring Filters.

Configuring Live Activity Monitoring Filters

The Live Activity Monitor does not use the concept of refresh frequency or time duration window, so there are no such settings exposed from ARM's web console for this dashboard type. Instead, the Live Activity Monitor shows a maximum of 100 records automatically and only the table chart type is available for this dashboard type. This design reduces the resource usage on ARM because this type of dashboard may display numerous events due to high traffic volume.

Note: Define one or more filter types before generating this dashboard type or a reminder

prompt will appear.

To configure live activity monitoring filters: 1. Select Dashboard and click the Settings link.

2. Type a name for the dashboard you are configuring.

Note: The default refresh rate on the Dynamic Dashboard is 60 seconds. If a server or

appliance is deleted from Gateway Devices > Device Registration, the deleted unit may still display in the Device Group and/or Appliances list until the Dynamic Dashboard refreshes.

3. Scroll down to Live Activity Monitor.

(44)

5. Select a filter type from the drop-down list. See Table 2-7 for details. TABLE 2-7. Filter Type Settings and Parameters

FILTER TYPE PARAMETERS

Username Allows the monitoring of a specific user by specifying

the IP address or computer name of a client machine, or the User ID (by entering the LDAP username).

Note: Verify the type of user identification method

configured on your IWSx units prior to specifying a username filter type value to ensure that the data of interest is being queried and shown.

Example: 10.3.12.234 or BSmith

Source IP Monitors any specified source IP address.

Example: 10.1.1.5

Website Allows the user to specify a specific URL string to

look for.

Example: www.example.com\page_default

Domain Allows the user to specify a specific domain to search

for.

Example: example.com

Destination IP Monitors specified destination IP address.

Example: 10.2.5.25

File Name Monitors a specified file name.

Example: example.doc or example.txt

See File and MIME Types for more information.

MIME Type Monitors specified MIME types, such as executable,

MS office document, or image.

(45)

6. Type a value for the filter type in the adjacent field.

• Type each value one at a time.

• For the username, source IP, and destination IP filter types, you can type multiple values separated by semicolons.

7. Select Add.

8. Set up another filter, if needed.

Note: Selecting numerous Filter Types or values increases the amount of time it takes

to complete the query.

If more than one filter exists on the filter list:

• ARM does a logical AND condition among values for different filter types. • ARM does a logical OR condition among values for the same filter type,

including values separated by semicolons (see step 6). See the following example:

In the above example, the condition can be expressed as:

BSmith AND (www.example.com OR www.newpage.com) AND document.txt

This means that the dashboard will only display data for user BSmith’s activities on

(46)

9. Create or change Live Activity Monitor filters using the instructions in the following

table:

TABLE 2-8. Live Activity Monitor Filter Actions

ACTION STEPS

Create new filters 1. Add the needed filter in the Live Activity Monitor >

Settings page. 2. Select Save.

3.Select the Live Activity Monitor check box. 4. Generate the new dashboard.

• The filter settings remain saved even after

logging out and logging back into the ARM Web console.

Modify existing filters 1. Select the Live Activity Monitor > Settings page of

an existing Live Activity Monitor dashboard. 2. Add new filters as needed and/or delete existing

filters by clicking on the delete icon. 3. Select Save.

4. Verify that the Live Activity Monitor check box is selected.

5. Generate the dashboard.

• The updated filter settings will now be

(47)

Results appear as a rolling table that auto-refreshes when new data becomes available.

Note: You may need to reconfigure your IWSx product to send information to the

ARM database faster. This will affect how the information is displayed on the Dashboard. For more information, see Refresh Rate Overview.

Delete existing filters To delete some filters, use the “Modify existing filters”

steps shown in the previous row.

To delete all filters from an existing Live Activity

Mon-itoring dashboard:

1. Close the Live Activity Monitor portion of the generated dashboard (or the whole dashboard.) 2. Select Settings.

3. Select the Live Activity Monitor > Settings page. 4. Delete all of the filters.

5. Select Save.

• If you do not close the dashboard prior to

deleting all filters, the filter settings will not be completely deleted and they will reappear the next time you log out and log back into the ARM web console.

TABLE 2-8. Live Activity Monitor Filter Actions

(48)

Threat Resources

Resources to learn more about certain threats can be accessed from the Dashboard page. The following resources are available:

• Trend Micro Threat Resource Center: Offers the latest information about recent

web threats.

• TrendTracker: Trend Micro's Web Threat protection technology blocks eight to

ten million infections everyday by scanning Web sites, email and files for malicious code.

• Malware/Spam Map: Visit the Malware/Spam Map to see where various web

threats are originating from and their associated risk level

• Virus Encyclopedia: Run a search for a particular virus and learn about its effect,

(49)

Reports

This chapter focuses on types of reports, how to generate them, how to add new ones, and how to use them.

Topics include:

(50)

Quick Reports

InterScan Web Security products can generate reports about virus and malicious code detections, files blocked, URLs accessed and DCS cleanups. Trend Micro Advanced Reporting and Management (ARM) collects and displays this information about the InterScan Web Security products program events to help optimize program settings and fine tune your organizational security policies.

You can configure quick reports from a pre-canned selection of reports. For example, ARM allows you to generate reports on demand (in near real time) about traffic, cleanup, individual or per user, usages, blocking events, and spyware/grayware. If you have created report templates, you can load selections from any of these templates to further speed up the report generation process. To allow you to share reports with those who need them, you can print them or export them in CSV or PDF format.

Note: ARM reports viewed on the screen allow customers to change the sort criteria by

clicking on the column headers. ARM reports printed to PDF use preset sort values defined in the reports and are not modifiable by users.

Anonymous Reporting for Quick Reports

Anonymous reporting provides the option to prevent user-identifiable information from being included in ARM reports. The user identification information consists of the source IP address and the user identity generated by IWSVA events. If anonymous reporting is enabled, the user identification information is rendered unidentifiable before being processed and reported.

Anonymous reporting for quick reports can be set in the quick reports configuration (see Setting Report Parameters and Generating Quick Reports) or in the template configuration (see Adding and Modifying a Report Template).

Note: If anonymous logging is enabled in the IWSVA device, user identification information

(51)

Types of Quick Reports

The available types of quick reports include:

• Traffic Reports: Reports about Web browsing activity, such as the most popular

Web sites, downloads, and other details about Web browsing activity. See Traffic Reports.

• Cleanup Reports: Reports about DCS cleanup attempts requested by InterScan

Web Security products. See Cleanup Reports.

• Blocking-Event Reports: Reports about virus detections, policy violations, and

blocked URLs. See Blocking-Event Reports.

• Supervision Reports: Reports about URLs that are blocked, monitored, warned,

or warned and continued. See Supervision Reports.

• Usage Reports: Reports showing usage statistics about application, Web

categories, URLs, and total time. See Usage Reports.

• Cost Reports: Shows the cost statistics by protocol, browse time and URL/user,

URL costs by bandwidth, and User costs by bandwidth. See Cost Reports. • Individual/Per User Reports: Reports reflective usage behavior by users. See

Individual/Per User Reports.

• Spyware/Grayware Reports: Reports about spyware detections. See Spyware/Grayware Reports.

• ARM Device Health Reports: Reports how much of ARM’s system resources

(CPU, memory, and disk space) are being utilized. See ARM Device Health Reports.

Note: The device health reports for ARM are unique in that these are currently the only

reports that show data returned by ARM. The rest of the reports show data returned by IWSx servers. If you are only interested in ARM device health reports, you do not need to select a device group in the Quick Reports screen because device group only includes IWSx servers and not ARM.

Terminology of Quick Reports

(52)

Note: Occasionally the “Unknown” value displays in some report results when the IWSx product is unable to classify a particular field. This generally occurs in the URL category for unrated URLs. The Unknown value also occurs in place of the user name, when the IWSx product cannot find a particular user via the LDAP look up.

TABLE 3-1. Quick Report Terms

TERM DEFINITION

# of Infections Lists the number of infections detected for a

spe-cific source, such as spyware

Activity Level by Hour Shows the level of activity on an hourly basis

Application Gives the name of an instant messaging application

(IM or P2P) or a protocol (HTTP, HTTPS, or FTP)

Bandwidth (MB) Shows the bandwidth in megabytes used by a

spe-cific protocol, user, or URL

Blocked Shows the number of times a specific user or URL

was blocked

Bytes Shows the bytes used by a specific user accessing

a specified URL

Category Lists the name of the URL Filtering category to

which URL belongs, such as Alcohol/Tobacco or Software Downloads

Date Visited Lists the day, date and time that a specific URL was

accessed.

Date/Time Shows the date and time that an event occurred.

For example, in the Most Active Users report, the date and time that a specific URL was accessed appears in the following format:

(53)

Day of the Week Gives the day of the week that an event occurred. For example: Sunday.

Distinguished Separates blocked events from not blocked events

in the reports.

Domain Shows the domain name or IP address of a Web

site that is part of the data referred to in a report, such as in the Traffic Report "Most Popular URL."

Encrypted Transactions Displays the number of encrypted transactions,

which consists of data exchanged from a secure protocol, such as HTTPS.

Entity Name Gives the name of an entity (such as worm.exe) for

a possibly malicious entity type, such as Trojan or cookie.

Entity Type Lists the type of malicious entity encountered, such

as Trojan, macro, or cookie.

File Name Gives the file name of an Applet or ActiveX object.

File Type Shows the origin of file (application, text, message)

and the file type (HTML, XM, octet-stream, and so on). Found in the Most Popular Downloads report.

Group Lists the name of a group involved in a report query,

such as in the Blocking-Event report "Most Violation by Group."

Hits Shows the number of hits for a specific URL or

domain

Hour of the Day Lists the hour of the day (0:00 - 23:00) that events

occur.

(54)

Index # Indicates a number for a URL or other item so it can be identified in a graph.

Infections Lists the number of infections detected for a

spe-cific source, such as spyware.

Infection Name Gives the proper name of a detected infection.

IP Address Lists the IP address of the machine indicated by a

report, such as the Cleanup Report "Most Infected IP Address."

Malicious Entity Gives the name of a type of malicious entity, such

as "Virus."

Malware Name Lists the proper name of Malware detected, such as

Bloodhound.Exploit.219.

MB Received Shows the number of megabytes received on a

specified date or for a specific download.

MIME Type Shows the MIME type for a URL, such a text/html,

image/png or unknown/unknown.

Member Lists the IP address of a group member in the

Blocking-Event report “Most Violations by Group.”

Monitored Shows the number of times a specific user or URL

was monitored.

Operation Lists the operation at a URL using HTTP methods

such as POST, GET, PUT and DELETE that appear in the Usage Report "Total Time by User."

Policy or Policy Name

Indicates the name of an IWSx virus- or

URL-related policy that was violated and caused a blocking event.

(55)

Protocol Indicates the application protocol, such as HTTP, HTTPS, or FTP.

Requests Indicates the number of requests for a specific URL

Filtering category such a Adult/Mature Content or Search Engines/Portals.

Search text Displays the actual text entered into a search

engine as shown in the Traffic Report "Most Popu-lar Search Engines."

Server Shows the name or IP address of a server used in a

URL request as in the Usage Report “Total Time by User.” This name or IP address usually designates the name of the IWSx unit used to scan, except for the server IP entry in the URL usage log, which shows the IP address of the destination server. Size or

Size (Bytes) or Size (kb) or Size (MB)

Indicates the size of a URL request, or any down-loaded or updown-loaded file.

Spyware Name Lists the name of detected spyware.

Time Gives the time of an event.

Time Used or

Time Used (Seconds)

Gives the amount of time used during an event or activity.

Total Disk Indicates the total amount of disk space (in MB)

allocated to ARM.

Total Downloads Includes both unblocked and blocked sessions.

Total Time Browsing (sec)

Indicates the number of seconds a user spent browsing.

(56)

Unblocked Reports URLs not blocked.

Undistinguished Means that both blocked and not blocked events

are summarized together in reports as total hits only.

URL Gives the actual URL or IP address that was

accessed.

URLs Visited (Max. 500) Lists the number of URLs accessed up to 500.

User or Username

States the name of a user or the IP address of a user.

Usage In Supervision Reports, designates the number of

times the URL or User usage occurred.

In ARM Device Health Reports, indicates the per-centage of CPU, memory, or disk space that ARM is using at a given time.

Used Disk Indicates the amount of disk space (in MB) that

ARM is using at a given time.

Violation Shows the name of the policy violated.

Virus Type Shows the type of malware discovered in the

“Cleanup events by category” report.

Viruses Blocked Shows the number of Viruses Blocked for a specific

URL.

Visits Shows the number of visits to a specific URL.

(57)

Warned Shows the number of times a specific URL was accessed and a warning was issued.

Warned and Continued Shows the number of times a specific URL was

accessed where a warning was issued and the user chose to continue to access the URL.

(58)

Using the Drill-down Images

Images included in the drill-down explanation tables (Table 3-3 through Table 3-9) show the results displayed for a given report and the levels of the drill-downs. Table 3-2

explains how to use the drill-down images.

TABLE 3-2. Drill-down Image Components

LABEL DESCRIPTION

Report Name The name of the report being depicted.

1A,1B Element found in the first level of the drill-down

report. These elements display when the report opens.

2A-1 through 2A-4 and

2B-1 though 2B-5

Elements found in the second level of the drill-down, accessed by clicking on the results shown in the first level.

Username* Username components are always the same and are

displayed in the text box above the drill-down image.

Report Name 2A-1 2A-2 2A -3 1A _1B 2 A -4 2B -4 Use rnam e* 2B-3 2B-2 2B-1 U s e rn a m e * 2B -5 *Username drills down to:

• URL

• Date/Time

• Size (Bytes)

• Hits

(59)

Traffic Reports

Traffic reports might take a long time to generate for large sites with extensive access logs.

Note: The six reports that can take a long time to generate, if a user selects “Distinguish”

Blocked from Unblocked traffic, are: - Most active users

- Most popular URLs - Most popular downloads - Total Time by User

- URL Category Usage Report - User Cost by Bytes

These reports contain traffic and usage data.

(60)

The following types of traffic reports are available. (See Table 3-3.)

TABLE 3-3. Traffic Reports and Configuration

REPORT CONFIGURABLE PARAMETERS

Activity Level by Hour None

Drill-down Activity Level by Hour S iz e (_B yt_es ) Tim e U se_d Hour of the Day Encrypted Transactions Hits Hit s Tim e U sed User nam e* Hits Size (B ytes) Time Used Us ern am e* Siz e ( By tes )

* Username drills down to:

(61)

Activity level by day of the week

None

Drill-down

Activity level by day of the week U R L Hits Size (b_ytes) Day of the Week Encrypted Transactions Hits H it_s Tim e U se d Use rnam e* Hit s Size (By tes) Time Used U s e rn a m e * _Siz e ( By tes ) * Username drills down to:

(62)

Bandwidth Report _• URL (or * wildcard)

• Application type

• IP Range (or * wildcards)

Drill-down

Bandwidth Report Date/Time Size (Bytes) Tim e Us ed Time Size (MB) H it_s Tim e U se d Use rnam e* Hit s Size (B ytes) Time Used U s e rn a m e_* Siz e ( By tes ) * Username drills down to:

• URL

• Date/Time

• Size (Bytes)

• Hits

(63)

Daily traffic report None Drill-down

Daily traffic report Size (kb) Time Used Date MB Received URL Username* Hits S iz_e (_B y te s ) * Username drills down to:

(64)

Most active users Distinguished or Undistinguished for Blocked/Unblocked traffic

Note: Allow extra time for this report to generate.

Drill-down

(65)

Most popular URLs _• Number of URLs to display

• Distinguished or Undistinguished for

Blocked/Unblocked traffic

Drill-down

Most popular URLs U R L H its Domain Un- blocked Hits Tim e U sed Size (Byt es) Tim e U se_d (S ec on ds₎ Blocked Userna_me* UR L Hits Da te/T ime By tes Hi ts Category S iz e (_k b ) * Username drills down to:

(66)

Most popular downloads _• Number of downloads to display

• Distinguished or Undistinguished for

Blocked/Unblocked traffic

Drill-down

Most popular downloads U R L H its File Type Un- blocked Total Downloads Tim e U se_d (S ec on ds₎ Blocked Userna_me* By te s Hi ts MB Received B y te s * Username drills down to:

(67)

Cleanup Reports

Note: The cleanup reports shown in the following table contain data about Damage

(70)

TABLE 3-4. Cleanup Reports and Configurable Parameters

REPORT NAME CONFIGURABLE PARAMETERS

Cleanup events by category

Number of cleanup events by category to be dis-played Drill-down Cleanup events by category U R L Date/ Time # of Infections Vir us_T yp_e Category Us ern am e D a te /T im e # of Infec_tions

(71)

Most infected IP addresses

Number of infected IP addresses to be displayed

Drill-down

Most infected IP addresses # of Infections IP Address Entity Type Da te/T im e # of Infections

(72)

Top cleanup events by name

Number of cleanup events by name to be displayed

Drill-down

Top cleanup events by name # of Infections Malware Name Da te/T im e # of Infections

(73)

Blocking-Event Reports

IntelliTrap is used in real-time reports by InterScan Web Security products to detect potentially malicious code in compressed executable files that arrive with HTTP data. When IntelliTrap detects a malicious executable file, the detection appears in

Blocking-event reports. (See Table 3-5.)

TABLE 3-5. Blocking-Event Reports and Configurable Parameters

IntelliTunnel Report None

Drill-down IntelliTunnel Report Blocked Protocol Application Ap pli ca tio n Username Pro to co l Da te/T im e Blocked Blocked Blo cked U s_e rn a m e * B lo c k_e d * Username drills down to:

• URL

• Date/Time

• Size (Bytes)

• Hits

(74)

Most blocked Applets and ActiveX objects

• Number of blocked Applets and Active X objects

to display

• Range of Users (IP addresses or LDAP User IDs),

and LDAP Group ID monitored for attempting to access blocked Applets and ActiveX objects. Drill-down

Most blocked Applets and ActiveX objects Blocked Index # URL Blocked Username*

(75)

Most blocked URL categories

• Number of blocked URL categories to display

• Filter Action (Blocked, Monitored, Warned,

Warned and Continued)

and LDAP Group ID monitored for attempting to access blocked URL categories

Drill-down

Most blocked URL categories Blocked Index # Category URL _Blocked Username* Blocked * Username drills down to:

(76)

Most blocked URLs _• Number of blocked URLs to display

• Filter Action (Blocked, Monitored, Warned,

Warned and Continued)

Drill-down

(77)

Most blocked URLs by day of the week

• Number of blocked URLs by day of the week to

display

Drill-down

Most blocked URLs by day of the week Blocked Day of the Week URL Siz e ( By tes ) Username Us erna me Da te /Tim e Blocked Blocked Blo cked U s e rn a m e * B lo c k_e d * Username drills down to:

(78)

Most blocked URLs by hour

Drill-down

Most blocked URLs by hour Blocked Hour URL Siz e ( By te s) Username Us ern a me Da te/T im e Blocked Blocked Blo cked U s e rn a m e * B lo c_k e_d * Username drills down to:

(79)

Most violations by group

• Number of violation per group to display

• Range of IP addresses monitored for group

violations

• A single LDAP group ID

NOTE: If the User (IP ranges of LDAP User IDs) field is left blank, any users in violation will display in the report results even if the user does not belong to the group name that is entered in the LDAP Group ID field.

Drill-down

Most violations by group Blocked Group Member _Violation Us ern a me * Da te/T im e Blocked Blocked Blo cke d B lo c k_e d

(80)

Most violations by user

• Users (IP Ranges or LDAP user IDs)

• Number of users of violation

Drill-down

Most violations by user Blocked URL Us ern am e* Dat e/T im e Blocked Blo ck ed B lo c k_e d * Username drills down to:

(81)

Riskiest URLs by virus detected

Number of violations by URL to display

Drill-down

Riskiest URLs by virus detected Viruses Blocked Us er na me* Viruses Blocked Vir us es Blo ck ed * Username drills down to:

• URL • Date/Time • Size (Bytes) • Hits • Time Used URL Hits Malicious Entity

(82)

Security Risk None Drill-down

(83)

Users with most requests for mali-cious URLs

Number of request by user to display

Drill-down

Users with most requests for

mali-cious URLs Viruses Blocked Use rn am e* Category * Username drills down to: