Views:
Compromised Hosts identify hosts in your network that might be compromised based on intelligence gathered from your Deep Discovery devices, TPS devices, and IPS devices. Security intelligence is leveraged to identify:
  • Domain generation algorithms (DGA) defense malware filters
  • Reputation events that score hosts and provide context from policy and attack filters
ThreatDV delivers a weekly malware filter package to help protect against the latest advanced threats. It prevents and disrupts malware activity, secures sensitive data, and optimizes network performance. ThreatDV also includes reputation feeds that are updated multiple times a day. Entries are assigned a threat score between 1 to 100 based on a comprehensive analysis of the activity, source, category, and threat. Malware filters are designed to detect:
  • Infiltration
  • Exfiltration
  • Phone-home
  • Command-and-control (C&C)
  • DGA
  • Mobile traffic
Some malware families use DGA. This malware strategy randomly generates a large number of domain names to avoid hard-coding IP addresses or domain names within the malware. The compromised host then attempts to contact some of the generated domain names. DGA Defense filters use pattern recognition and linguistic analysis to detect algorithmically generated DNS requests from infected hosts. As part of a malware filter package, these filters protect your system against known malware families and suspicious domain names generated by unknown malware families.
To identify compromised hosts in your network environment, you must register your device for the ThreatDV service.
You can use newly discovered threats forwarded from your Deep Discovery devices to identify compromised hosts in your network. The Deep Discovery devices detect suspicious network traffic between hosts and discovered C&C servers.
To include the C&C Callback Address data from your Deep Discovery device, you must include the following predefined tag categories on the SMS (Learn more: Tag Categories):
  • Trend Micro Detection Category
  • Trend Micro Publisher
  • Trend Micro Severity
  • Trend Micro Source
To view, select Threat InsightsCompromised Hosts Threat Insights.
Heading Description
IP Address IP address (either source or destination) of the identified compromised host.
Host Name Host name of the IP address, if available.
Last Compromised Filter The name of the filter that either matches traffic from the compromised host or traffic to the compromised host.
Last Hit Time The time on the device that the traffic was last encountered.
Blocked Hits Number of times traffic was blocked by a filter and an event was generated.
Permitted Hits Number of times traffic matched a filter and was permitted to flow through.
If you see permitted hits, consider updating your security policy. You can change the action set to Block or Block + Notify. You can also associate your policy with a Responder Policy.