Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Many false C&C Detection Logs show up on the TMCM console of the OfficeScan (OSCE) 11.0 server

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan 11.0
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Server R2
    • Windows 2003 Standard 64-bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2
Summary

You are experiencing a lot of FA C&C Callback Logs regarding the proxy server.

This occurrence is triggered by a previous issue wherein Deep Discovery Analyzer (DDAN) generated an Internet Protocol (IP) Suspicious Object (SO) with the proxy IP, which was then synced to the Control Manager (TMCM) server. Afterwards, TMCM deployed the SO to the OSCE server. As a result, all the OSCE clients got the SO and sent a C&C Callback Log once a connection with the proxy server was made.

This DDAN side issue has been fixed so it would not send the IP SO anymore and on TMCM server, this IP SO has been added to the approved list, so the OSCE server should not be affected anymore. However, the IP SO is still in all the OSCE clients. The issue now is how to purge it because many C&C Callback Logs still appear in the TMCM console.

Details
Public

To resolve the issue, enable a global setting to purge the old IP SO info on all OSCE clients:

  1. Back up the ofcscan.ini file.
  2. Open and edit the ofcscan.ini file:
    1. Set inicount=4.
    2. Add the following items under the ini1:

      Ini2.Description=Reset NcieSo.ini count
      Ini2.Key=!CRYPT!41A4ACF29EC21ECB12327B250325D225E5694E0B01C1627244BE580E49EA77D082B6C3C4E54
      Ini2.Value=0
      Ini3.Description=Reset NcieSo.ini data
      Ini3.Key=!CRYPT!318F200BE8A991FD4FC27B250325D225E56F6512A8CF78EF65F29016F5D
      Ini3.Value=
      Ini4.Description=Reset NcieSo.ini action
      Ini4.Key=!CRYPT!31746DB3D912A6C243627B250325D225E5636BA5D498D15AF3E1B5E0C21
      Ini4.Value=

  3. Go to OSCE server console > Global Setting to deploy the settings.
  4. Save the changes.
  5. Restore the ofcanscan.ini file once no more clients report the C&C Callback Log.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1113304
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.
Related Articles