Retro Scan

Retro Scan in Deep Discovery Inspector

Retro Scan is a cloud-based service that scans historical web access logs for callback attempts to C&C servers and other related activities in your network. Web access logs may include undetected and unblocked connections to C&C servers that have only recently been discovered. Examination of such logs is an important part of forensic investigations to determine if your network is affected by attacks.

Retro Scan stores the following log information in the Smart Protection Network:

  • IP addresses of endpoints monitored by Deep Discovery Inspector

  • URLs accessed by endpoints

  • GUID of Deep Discovery Inspector

Retro Scan then periodically scans the stored log entries to check for callback attempts to C&C servers in the following lists:

  • Trend Micro Global Intelligence list: Trend Micro compiles the list from multiple sources and evaluates the risk level of each C&C callback address. The C&C list is updated and delivered to enabled products daily.

  • User-defined list: Retro Scan can also scan logs against your own C&C server list. Addresses must be stored in a text file.


The Retro Scan screen in Deep Discovery Inspector only displays information for scans that use the Trend Micro Global Intelligence list.

Retro Scan in Deep Discovery Endpoint Sensor

Retro Scan investigates historical events and their activity chain based on a specified search condition. The results can be viewed as a mind map showing the execution flow of any suspicious activity. This facilitates the analysis of the enterprise-wide chain of events involved in a targeted attack.  

Retro Scan uses the following object types for its investigation:

  • DNS record

  • IP address

  • File name

  • File folder

  • SHA-1 hash values

  • MD5 hash values

  • User account

Retro Scan queries a normalized database containing an endpoint's historical events. Compared to a traditional log file, this method uses less disk space and consumes less resources.