Suspicious Object (SO) subscription is a new feature that allows OfficeScan to obtain the SO list from Control Manager (TMCM). This feature is introduced in the following OfficeScan (OSCE) 11.0 releases:
- OSCE 11.0 SP1 Critical Patch 4150 (for English customers)
- OSCE 11.0 SP1 (for Non-English customers)
- OSCE XG
With this enhancement, OfficeScan administrators will no longer need to input TMCM server information in the Suspicious Object List Settings page. After the OfficeScan server has been registered to the TMCM server, the TMCM server information under Suspicious Object List Settings page will be automatically populated within 10 minutes. OfficeScan administrator just need to click the Subscribe button to enable this feature.
The previous Suspicious Object List Settings page looks like this:
After the enhancement, the Suspicious Object List Settings page is similar to the following:
Administrators can also configure OfficeScan to directly obtain the SO list from Deep Discovery Analyzer (DDAn). After applying the patch release above, OfficeScan will still obtain the SO list from DDAn.
However, when the OfficeScan administrator clicks the Unsubscribe button under the Suspicious Object List Settings, the warning message below will appear, but it will require you to install TMCM and subscribe to SO via TMCM.
After you unsubscribe OfficeScan from Deep Discovery Analyzer, it is not possible to re-subscribe. OfficeScan must subscribe to Control Manager to synchronize suspicious objects.
It is also possible to modify the frequency of SO update.
To change the SO-File and SO-IP update frequency:
- Modify the following parameters on ofcserver.ini file:
CCCASOBLUpdateFrequency=6 (6 means minutely and 4 means hourly)
CCCASOBLUpdateMinute=5 (minimum is 1 and maximum is 59)
- Restart the OfficeScan Master Service for the changes to take effect.
To change the SO-URL update frequency:
- On the LWCS/CCCAServer.ini file, set the value of the following parameter in minutes:
UpdateSchedule = 5 (value in minutes; minimum is 1 and maximum is 60)
- Restart the LWCSService for the changes to take effect.
Suspicious Object (SO) list will be synchronized whenever an OfficeScan update is triggered, for example, OSCE agent initializes a manual update, or OSCE server notifies the agents.