The Suspicious Connection Service manages the User-defined and Global IP C&C lists, and monitors the behavior of connections that endpoints make to potential C&C servers.
The User-defined Approved and Blocked IP lists allow further control over whether endpoints can access specific IP addresses. Configure these lists when you want to allow access to an address blocked by the Global C&C IP list or block access to an address that may pose a security risk.
For details, see Configuring Global User-defined IP List Settings.
The Global C&C IP list works in conjunction with the Network Content Inspection Engine (NCIE) to detect network connections with Trend Micro confirmed C&C servers. NCIE detects C&C server contact through any network channel. The Suspicious Connection Service logs all connection information to servers in the Global C&C IP list for evaluation.
For details on enabling the Global C&C IP list, see Configuring Suspicious Connection Settings.
After detecting malware on endpoints through Relevance Rule Pattern matching on network packets, the Suspicious Connection Service can further investigate the connection behavior to determine if a C&C callback occurred. After detecting a C&C callback, the Suspicious Connection Service can attempt to block and clean the source of the connection using GeneriClean technology.
For details on configuring the Suspicious Connection Service, see Configuring Suspicious Connection Settings.
For details about GeneriClean, see GeneriClean.
Enable the Suspicious Connection Service on the Additional Service Settings screen to protect agents against C&C server callbacks. For details, see Enabling or Disabling the Agent Services from the Web Console.