Views:

TMEF ICAP Pre-scan Detection Logs

TMEF Key
Description
Value
Header (logVer)
TMEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Analyzer
Header (pver)
Appliance version
Example: 7.1.0.1088
Header (eventName)
Event name
ICAP_PRESCAN_EVENT
Header (severity)
Risk level
8
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
rt
Log generation time
Example: May 31 2021 15:56:04 GMT+08:00
dvcmac
Appliance MAC address
Example: 00:0C:29:56:B3:57
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
fileHash
SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
fileType
True file type
Example: RIFF bitmap file
fname
File name
Example: excel.rar
sha256
SHA256
Example: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
cn1Label
Sample type
sampleType
cn1
Sample type
  • 0: File sample
  • 1: URL sample
request
URL
Example: http://example.com:80/
malName
Malware name
Example: HEUR_NAMETRICK.A
src
Source IPv4 address
Example: 10.1.144.199
dst
Destination IPv4 address
Example: 10.1.144.198
cs1Label
submitterName
malName
cs1
ICAP client
Example: 10.205.190.3
cs2Label
icapMode
  
cs2
ICAP mode
  
     
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
cs2Label
submitterName
Example:
  • REQMOD: ICAP Request modification method
  • RESPMOD: ICAP Response modification method
cs3Label
sourceUser
  
cs3
X-Authenticated-User ICAP header sent by the ICAP client
Example:
  • Web Reputation Services
  • Advanced Threat Scan Engine
  • Virtual Analyzer
  • Suspicious Object
  • User-defined Suspicious Object
  • YARA Rule (+ Yara_file_name)
  • Predictive Machine Learning Engine
  • ICAP: Password-protected file (bypass scanning)
  • ICAP: Password-protected file (non-malicious, unextracted)
cs4Label
identifiedBy
  
cs4
The name of the detection module that processed the object
Example:
  • Web Reputation Services
  • Advanced Threat Scan Engine
  • Virtual Analyzer
  • Suspicious Object
  • User-defined Suspicious Object
  • YARA Rule (+ Yara_file_name)
  • Predictive Machine Learning Engine
  • ICAP: Password-protected file (bypass scanning)
  • ICAP: Password-protected file (non-malicious, unextracted)
cs5Label
sha256
  
cs5
SHA256
Example: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
Log sample:
CEF:0|Trend Micro|Deep Discovery Analyzer|7.1.0.1088|20012
9|ICAP_PRESCAN_EVENT|8|rt=Aug 01 2021 02:36:08 GMT+00:00 d
vc=10.204.191.52 dvchost=DDAN deviceMacAddress=00:50:56:98
:33:69 deviceGUID=627EE441-DD62-4483-B9E4-60B3C8A92529 src
=10.2.11.122 cn1Label=sampleType cn1=1 fileHash=317D137FE5
90EE561648ECA137CB2B6898526115 request=http://wrs21.test.c
om:80/ malName=TSPY_KEYLOG.GC cs1Label=submitterName cs1=1
0.204.190.6 cs2Label=icapMode cs2=REQMOD cs3Label=sourceUs
er cs4Label=identifiedBy cs4=Web Reputation Services cs5La
bel=sha256 cs5=F5C748A953D23B8CE4F5C792FDC1E7987471DD48FE2
4ABA07C3CFD10B4AEF72F
CEF:0|Trend Micro|Deep Discovery Analyzer|7.1.0.1088|20012
9|ICAP_PRESCAN_EVENT|8|rt=Aug 01 2021 02:36:11 GMT+00:00 d
vc=10.204.191.52 dvchost=DDAN deviceMacAddress=00:50:56:98
:33:69 deviceGUID=627EE441-DD62-4483-B9E4-60B3C8A92529 dst
=10.2.1.123 src=10.2.1.122 cn1Label=sampleType cn1=0 fname
=3-layer.zip fileType=ZIP archive fileHash=D7273555CB0AC08
303415CBEB3F3D72DD0893BC4 request=http://test.com/3-layer.
zip malName=Eicar_test_file,TROJ_OLEXP.TPD cs1Label=submit
terName cs1=10.204.190.6 cs2Label=icapMode cs2=RESPMODE cs
3Label=sourceUser cs4Label=identifiedBy cs4=Advanced Threa
t Scan Engine cs5Label=sha256 cs5=08F18BC62297A67DD91E192A
27C1EEDE3C1BBEE19A90FC0B1FADD07CE93B9823