Viewing C&C Callback Logs

  1. Go to Logs > Agents > Security Risks or Agents > Agent Management.
  2. In the agent tree, click the root domain icon () to include all agents or select specific domains or agents.
  3. Click View Logs > C&C Callback Logs or Logs > C&C Callback Logs.
  4. Specify the log criteria and then click Display Logs.
  5. View logs. Logs contain the following information:

    Item

    Description

    Date/Time

    The time the detection occurred

    User

    The user logged on at the time of the detection

    Compromised Host

    The endpoint from which the callback originated

    IP Address

    The IP address of the compromised host

    Domain

    The domain of the endpoint on which the detection occurred

    Callback Address

    The address to which the endpoint sent the callback

    C&C List Source

    The C&C list source that identified the C&C server

    C&C Risk Level

    The risk level of the C&C server

    Protocol

    The Internet Protocol used for the transmission

    Process

    The process that initiated the transmission (path\application_name)

    Action

    The action taken on the callback

  6. If Web Reputation blocked a URL that you do not want blocked, click the Add to Web Reputation Approved List button to add the address to the Web Reputation Approved List.
    Note:

    OfficeScan can only add URLs to the Web Reputation Approved List. For detections made by the Global C&C IP List or the Virtual Analyzer (IP) C&C List, manually add these IP addresses to the User-defined Approved C&C IP List.

    For details, see Configuring Global User-defined IP List Settings.

  7. To save logs to a comma-separated value (CSV) file, click Export All to CSV. Open the file or save it to a specific location.