You are experiencing a lot of FA C&C Callback Logs regarding the proxy server.
This occurrence is triggered by a previous issue wherein Deep Discovery Analyzer (DDAN) generated an Internet Protocol (IP) Suspicious Object (SO) with the proxy IP, which was then synced to the Control Manager (TMCM) server. Afterwards, TMCM deployed the SO to the OSCE server. As a result, all the OSCE clients got the SO and sent a C&C Callback Log once a connection with the proxy server was made.
This DDAN side issue has been fixed so it would not send the IP SO anymore and on TMCM server, this IP SO has been added to the approved list, so the OSCE server should not be affected anymore. However, the IP SO is still in all the OSCE clients. The issue now is how to purge it because many C&C Callback Logs still appear in the TMCM console.
To resolve the issue, enable a global setting to purge the old IP SO info on all OSCE clients:
- Back up the ofcscan.ini file.
- Open and edit the ofcscan.ini file:
- Set inicount=4.
- Add the following items under the ini1:
Ini2.Description=Reset NcieSo.ini count
Ini3.Description=Reset NcieSo.ini data
Ini4.Description=Reset NcieSo.ini action
- Go to OSCE server console > Global Setting to deploy the settings.
- Save the changes.
- Restore the ofcanscan.ini file once no more clients report the C&C Callback Log.