Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Many false C&C Detection Logs show up on the TMCM console of the OfficeScan (OSCE) 11.0 server

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan 11.0
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Server R2
    • Windows 2003 Standard 64-bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2

You are experiencing a lot of FA C&C Callback Logs regarding the proxy server.

This occurrence is triggered by a previous issue wherein Deep Discovery Analyzer (DDAN) generated an Internet Protocol (IP) Suspicious Object (SO) with the proxy IP, which was then synced to the Control Manager (TMCM) server. Afterwards, TMCM deployed the SO to the OSCE server. As a result, all the OSCE clients got the SO and sent a C&C Callback Log once a connection with the proxy server was made.

This DDAN side issue has been fixed so it would not send the IP SO anymore and on TMCM server, this IP SO has been added to the approved list, so the OSCE server should not be affected anymore. However, the IP SO is still in all the OSCE clients. The issue now is how to purge it because many C&C Callback Logs still appear in the TMCM console.


To resolve the issue, enable a global setting to purge the old IP SO info on all OSCE clients:

  1. Back up the ofcscan.ini file.
  2. Open and edit the ofcscan.ini file:
    1. Set inicount=4.
    2. Add the following items under the ini1:

      Ini2.Description=Reset NcieSo.ini count
      Ini3.Description=Reset NcieSo.ini data
      Ini4.Description=Reset NcieSo.ini action

  3. Go to OSCE server console > Global Setting to deploy the settings.
  4. Save the changes.
  5. Restore the ofcanscan.ini file once no more clients report the C&C Callback Log.
Configure; Troubleshoot
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.