You are experiencing a lot of FA C&C Callback Logs regarding the proxy server.
This occurrence is triggered by a previous issue wherein Deep Discovery Analyzer (DDAN) generated an Internet Protocol (IP) Suspicious Object (SO) with the proxy IP, which was then synced to the Control Manager (TMCM) server. Afterwards, TMCM deployed the SO to the OSCE server. As a result, all the OSCE clients got the SO and sent a C&C Callback Log once a connection with the proxy server was made.
This DDAN side issue has been fixed so it would not send the IP SO anymore and on TMCM server, this IP SO has been added to the approved list, so the OSCE server should not be affected anymore. However, the IP SO is still in all the OSCE clients. The issue now is how to purge it because many C&C Callback Logs still appear in the TMCM console.
To resolve the issue, enable a global setting to purge the old IP SO info on all OSCE clients:
- Back up the ofcscan.ini file.
- Open and edit the ofcscan.ini file:
- Set inicount=4.
- Add the following items under the ini1:
Ini2.Description=Reset NcieSo.ini count
Ini2.Key=!CRYPT!41A4ACF29EC21ECB12327B250325D225E5694E0B01C1627244BE580E49EA77D082B6C3C4E54
Ini2.Value=0
Ini3.Description=Reset NcieSo.ini data
Ini3.Key=!CRYPT!318F200BE8A991FD4FC27B250325D225E56F6512A8CF78EF65F29016F5D
Ini3.Value=
Ini4.Description=Reset NcieSo.ini action
Ini4.Key=!CRYPT!31746DB3D912A6C243627B250325D225E5636BA5D498D15AF3E1B5E0C21
Ini4.Value=
- Go to OSCE server console > Global Setting to deploy the settings.
- Save the changes.
- Restore the ofcanscan.ini file once no more clients report the C&C Callback Log.
