Trend Micro Incorporated
July 2023

Trend Micro™ Deep Discovery Inspector

6.6

NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's Web site for documentation updates at http://docs.trendmicro.com.

TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro Web site. Register during installation or online at https://clp.trendmicro.com/FullRegistration?T=TM.

1. About Deep Discovery Inspector

Deep Discovery Inspector is a third-generation threat management solution, designed and architected by Trend Micro to deliver breakthrough advanced persistent threat (APT) and targeted attack visibility, insight, and control.

Trend Micro Deep Discovery Inspector is the result of thorough investigations of targeted attacks around the world, interviews with major customers, and the participation of a special product advisory board made up of leading G1000 organizations and government agencies.

Deep Discovery Inspector provides IT administrators with critical security information, alerts, and reports.

Deep Discovery Inspector deploys in offline monitoring mode. It monitors network traffic by connecting to the mirror port on a switch for minimal or no network interruption.

Back to top

2. What's New

See Chapter 1 of the Administrator's Guide or visit the following page for a list of new features and enhancements in this release: https://docs.trendmicro.com/all/ent/ddi/v6.6/en-us/olh/whats-new.html

Back to top

3. Documentation Set

To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com

In addition to this Readme file, the documentation set for this product includes the following:

• Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Deep Discovery Inspector. To access the Online Help, go to http://docs.trendmicro.com.

• Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Deep Discovery Inspector.

• AWS Deployment Guide: A PDF document that contains information about requirements and procedures for planning deployment, deploying, and troubleshooting Deep Discovery Inspector deployment on AWS.

• Installation and Deployment Guide (IDG): A PDF document that contains information about requirements and procedures for planning deployment, installing Deep Discovery Inspector, and using the Preconfiguration Console to set initial configurations and perform system tasks.

• Inline (LAN bypass) Network Interface Card Installation Guide (GSG): A PDF document that contains information about requirements and procedures for installing an additional bypass network interface card on supported Deep Discovery Inspector appliances.

• Syslog Content Mapping Guide (SG): A PDF document that provides information about log management standards and syntaxes for implementing syslog events in Deep Discovery Inspector.

• Quick Start Card (QSG): User-friendly instructions on connecting Deep Discovery Inspector to your network and on performing initial configurations.

• Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to https://success.trendmicro.com.

Back to top

4. System Requirements

See the Installation and Deployment Guide for a list of system requirements.

Back to top

5. Installation or Upgrade

See the Quick Start Card and the Installation and Deployment Guide for installation instructions.

See Chapter 6 of the Administrator's Guide for upgrade instructions.

Back to top

6. Post-Installation Configuration

• Enabling secure cipher suites in Microsoft Active Directory

  Deep Discovery Inspector 6.6 disables insecure cipher suites when connecting to integrated products or services. Users of Windows 8.1 and Windows Server 2012 R2 need to enable secure cipher suites manually.

  1. Use the registry editor to enable TLS 1.2. For more information, see https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12

  2. Install update 2919355. Update 2919355 adds secure cipher suites and changes the priority order. For more information, see https://support.microsoft.com/en-us/topic/windows-rt-8-1-windows-8-1-and-windows-server-2012-r2-update-april-2014-3c9d820b-7079-359d-8660-21de648fa31d

• If upgrading from a previous version

  Clear the browser cache after completing the upgrade and before logging on to the Deep Discovery Inspector management console. For details, see Chapter 6 of the Administrator's Guide or visit https://docs.trendmicro.com/all/ent/ddi/v6.6/en-us/olh/clearing-the-browser.html

Back to top

7. Known Issues

Known issues in this release:

1. When Deep Discovery Inspector is deployed inline and TLS Traffic Inspection is enabled, the FileZilla FTP client with an explicit TLS setting may be unable to connect to an FTP server. To allow the FileZilla FTP client to connect, add the FTP server IP address as a Domain Object exception in the management console at Administration > Monitoring/Scanning > TLS Traffic Inspection > Decryption Policy.

2. When Deep Discovery Director - Network Analytics (DDD - NA) on-premises 3.0 is integrated with Deep Discovery Inspector and then you migrate to Deep Discovery Inspector 5.7 or above, the DDD - NA integration will not be migrated. To continue using DDD - NA after migration, perform a fresh install of Deep Discovery Director 5.2 (Install in consolidated mode > Install internal Network Analytics version) and reintegrate with Deep Discovery Inspector.

3. Deep Discovery Inspector deployed in AWS truncates mirrored packets larger than 8947 bytes due to the AWS traffic mirror limitation. To avoid truncation, the MTU size in the traffic mirror source needs to be set to equal or less than 8947 bytes.

4. The encapsulated remote mirroring feature in Deep Discovery Inspector (under Show advanced settings in the Administration > System Settings > Network Interface screen) supports only IPv4 addressing to receive mirrored traffic. IPv6 addressing is not supported.

5. During peak resource usage on a Deep Discovery Inspector virtual appliance deployed with a virtual distributed switch that is configured for encapsulated remote mirroring, the ESXi mirroring source might drop packets during transmission.

6. For Backup / Restore under Administration > System Maintenance, this version of Deep Discovery Inspector does not support cross-language backup/restore and only supports configuration restored from the following Deep Discovery Inspector versions:

   • 6.2

   • 6.5

   • 6.6

7. Deep Discovery Inspector 5.0 and above cannot communicate with Smart Protection Server version 3.2 or earlier. To avoid this issue, upgrade your Smart Protection Servers to version 3.3, or go to Administration > Monitoring / Scanning > Web Reputation and then configure the smart protection source as "Trend Micro Smart Protection Network".

8. Deep Discovery Inspector 5.0 and above cannot communicate with the following products or services when TLS enforcement for Secure Protocol is enabled:

   • Deep Discovery Analyzer versions earlier than 5.5

   • Network VirusWall Enforcer versions earlier than 3.5 SP3

   • Smart Protection Server versions earlier than 3.3

   • Threat Management Services Portal

   • Trend Micro Control Manager versions earlier than 7.0

   • TippingPoint Security Management System (SMS) versions earlier than 4.4

   • Check Point Open Platform for Security (OPSEC) versions earlier than R77.30

   • IBM Security Network Protection (XGS) versions earlier than 5.2

   • Palo Alto PAN-OS versions earlier than 7.0

   • Palo Alto Panorama versions earlier than 7.0

   • Microsoft Windows Server versions earlier than 2008 R2

9. After opening the Deep Discovery Inspector management console from Apex Central using single sign-on, features that involve file upload behavior do not function, such as migration, hot fix application, and configuration import.

10. When performing sandbox analysis using a Windows 10 image that requires higher system resources, the performance of Deep Discovery Inspector may be affected. Trend Micro recommends evaluating the system load capacity on Deep Discovery Inspector before using a Windows 10 sandbox environment for analysis.

11. After resetting the one-time password on an integrated Check Point appliance, suspicious Objects and C&C callback addresses are not distributed to the Check Point appliance and the following message is generated in the Deep Discovery Inspector System Logs: "Unable to distribute suspicious objects to Check Point OPSEC. Verify that the Check Point OPSEC settings are correct and that no network problem exists." To avoid this issue, type and then save the new SIC one-time password in Deep Discovery Inspector.

12. Performing concurrent file downloads or log exports can cause the management console to behave unexpectedly. To avoid this issue, wait until a file download or log export completes before starting another.

13. After migration, information on some screens might not appear. To view the information, clear the browser cache and refresh the page.

14. When opening an exported CSV file on a European Windows platform, all data might appear in the first column. To view the fields in separate columns, at the beginning of the CSV file, insert "sep=," as a new line and reopen the CSV file in Excel.

15. After rebooting from migration, immediately performing an update or firmware upgrade causes the internal Virtual Analyzer to fail. To prevent this issue, after rebooting from migration, go to the Administration > Virtual Analyzer > Internal Virtual Analyzer > Status screen and ensure that the status is "Running" before performing an update or firmware upgrade.

16. On the System Logs screen, if the selected time period contains a time change from standard time to daylight saving time or from daylight saving time to standard time, the timestamp information will shift after the time change occurs.

17. With the management console open in Firefox, if logs are still loading on the Detections > All Detections screen when the Export button is clicked, the loading process will be interrupted. Use Chrome or Edge instead.

18. After migration from a previous release, any customized dashboard configuration and dashboard layout changes are restored to default.

19. When navigating to another tab immediately after landing on the Dashboard > Summary tab, tab layouts do not display correctly.

20. When editing advance filters on the Affected Hosts and All Detections screens and the system reaches the configured session timeout, Deep Discovery Inspector logs off the management console without notice and unsaved edits are lost. To avoid this issue, save frequently, and go to Administration > System Settings > Session Timeout and extend the session timeout setting.

21. IPv6 format cannot be used to configure IP settings for Proxy or for all Deep Discovery Inspector integrated products and services. Use IPv4 format instead.

22. In the Threat Summary and Watch List widgets, if the selected time period is "Past 24 hours" and contains a time change from standard time to daylight savings time or from daylight savings time to standard time, the widgets display the wrong information. To view correct information when selecting a time period that contains a seasonal time change, select "Past 7 days" or "Past 30 days".

23. In the Top Affected Hosts widget and all Top Trends widgets, if the selected time period is "Past 1 hour" or "Past 24 hours" and contains a time change from standard time to daylight savings time or from daylight savings time to standard time, the widgets display the wrong information. To view correct information when selecting a time period that contains a seasonal time change, select "Past 7 days" or "Past 30 days".

24. When opening an exported .csv file on a Mac platform, Deep Discovery Inspector returns unreadable code in the first field. Open exported log files in Windows only.

25. In log and on-demand report queries, the "Custom range" calendar displays in browser time, not in Deep Discovery Inspector system time. To align, set your browser time zone to your Deep Discovery Inspector system time zone.

26. The URL of a detected "Suspicious URL" displayed in a notification email is an active link. Avoid clicking on the link to the detected URL.

27. A manual "Update Components" action cannot be stopped while the action is in-process.

28. On some Deep Discovery Inspector screens, the date and time format does not follow an international standard.

29. Each management console user account is provided with a shared dashboard. Changes to one user account dashboard affect the dashboards of other user accounts.

30. When uploading Virtual Analyzer images from an FTP server:

    • Enable the FTP server for both active and passive mode

    • Enable UTF-8, if the file path or name contains DBCS characters

31. The Malicious Scanned Network Traffic widget does not include historical data in the displayed statistics after the Deep Discovery Inspector appliance is restarted. The correct data eventually displays after a few minutes.

32. Traffic data in some widgets cannot be purged on the management console. The Scanned Traffic by Protocol widget displays data even after logs are deleted on the Administration > Storage Maintenance screen.

Back to top

8. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.

NOTE: This information is subject to change without notice.

Back to top

9. About Trend Micro

Smart, simple, security that fits

As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information

Copyright 2023, Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro logo, Deep Discovery, Deep Discovery Inspector, Trend Micro Control Manager, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.

Back to top

10. License Agreement

View information about your license agreement with Trend Micro at:

Third-party licensing agreements can be viewed:

• By selecting the "About" option in the application user interface

• By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide

Back to top