C&C-related traffic in targeted attacks is often difficult to locate. Attackers change and redirect addresses, use legitimate sites and even set up C&C servers inside a company's network. Moreover, most security technologies focus solely on detecting and blocking addresses that are known to be malicious at that point in time. This is problematic because reputation scores constantly change. Addresses that are considered safe today can easily become malicious within the next hour or day.
Retro Scan examines historical web access logs to help you discover suspicious connections regardless of when the address is identified as malicious. Trend Micro recommends to enable Retro Scan to provide better protection and minimize the impact of targeted attacks.
Retro Scan functions independently from DDI and is disabled by default. To enable Retro Scan, do the following:
Go to Administration > Monitoring / Scanning > Web Reputation.
Click image to enlarge
Click Enable Web Reputation (The Default option is Selected).
Under Smart Protection Settings, select Trend Micro Smart Protection Network.
Select Enable Retro Scan. The Service and Terms window appears.
Read the information and click Accept.
- Click Save.
After Retro Scan is enabled, DDI will periodically check Retro Scan for scan reports. If the scan reports are available, DDI will display the summarized information on the Detection > Retro Scan screen.