The OfficeScan agent can block/log the C&C connection through URL and IP address. The C&C URL is blocked/logged by Web Reputation Service and the C&C IP relies on Suspicious Connection Service. This article shows the detailed configuration for Suspicious Connection Service.
To configure Suspicious Connection Service to block/log the C&C IP address:
- On the OSCE web console, go to Agents > Agent Management.
- Navigate to Settings and click Additional Service Settings.
- Tick Suspicious Connection Service and click Save.
- Go to Settings and click Suspicious Connection Settings.
- Tick "Detect network connections made to addresses" in the Global C&C IP list. For OfficeScan XG or newer, please select "Log only" or "Block".
- Test the connection to the C&C IP address. In Block mode, the alert will pop up and the log can be found under Suspicious Connection.