Configuring C&C Callback Notifications for Administrators Parent topic

OfficeScan comes with a set of default notification messages that inform you and other OfficeScan administrators of C&C callback detections. You can modify the notifications and configure additional notification settings to suit your requirements.

Procedure

  1. Navigate to NotificationsAdministrator NotificationsStandard Notifications.
  2. On the Criteria tab:
    1. Go to the C&C Callbacks section.
    2. Specify whether to send notifications when OfficeScan detects a C&C callback (the action can be blocked or logged) or only when the risk level of the callback address is High.
  3. On the Email tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via email.
    3. Select Send notifications to users with client tree domain permissions.
      Use Role-based Administration to grant client tree domain permissions to users. If transmission occurs on a client belonging to a specific domain, the email are sent to the email addresses of the users with domain permissions. See the following table for examples:

      Client Tree Domains and Permissions

      Client Tree Domain
      Roles with Domain Permissions
      User Account with the Role
      Email Address for the User Account
      Domain A
      Administrator (built-in)
      root
      mary@xyz.com
      Role_01
      admin_john
      john@xyz.com
      admin_chris
      chris@xyz.com
      Domain B
      Administrator (built-in)
      root
      mary@xyz.com
      Role_02
      admin_jane
      jane@xyz.com
      If an OfficeScan client belonging to Domain A detects a C&C callback, the email will be sent to mary@xyz.com, john@xyz.com, and chris@xyz.com.
      If a client belonging to Domain B detects the C&C callback, the email is sent to mary@xyz.com and jane@xyz.com.
      Note
      Note
      When enabling this option, all users with domain permissions must have a corresponding email address. The email notification will not be sent to users without an email address. Users and email addresses are configured from AdministrationUser Accounts.
    4. Select Send notifications to the following email address(es) and then type the email addresses.
    5. Accept or modify the default subject and message. Use token variables to represent data in the Subject and Message fields.

      Token Variables for C&C Callback Notifications

      Variable
      Description
      %CLIENTCOMPUTER%
      Target computer that sent the callback
      %IP%
      IP address of the targeted computer
      %DOMAIN%
      Domain of the computer
      %DATETIME%
      Date and time the transmission was detected
      %CALLBACKADDRESS%
      Callback address of the C&C server
      %CNCRISKLEVEL%
      Risk level of the C&C server
      %CNCLISTSOURCE%
      Indicates the C&C source list
      %ACTION%
      Action taken
  4. On the SNMP Trap tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via SNMP trap.
    3. Accept or modify the default message. Use token variables to represent data in the Message field. See Token Variables for C&C Callback Notifications for details.
  5. On the NT Event Log tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via NT Event Log.
    3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Token Variables for C&C Callback Notifications for details.
  6. Click Save.