OfficeScan XG Server Online Help > Using Web Reputation > C&C Callback Outbreaks > Configuring the C&C Callback Outbreak Criteria and Notifications

Online Help Center Home
Preface
- OfficeScan Documentation
- Audience
- Document Conventions
- Terminology
Introducing OfficeScan
- About OfficeScan
- What's New in OfficeScan XG
- Key Features and Benefits
- The OfficeScan Server
- The OfficeScan Agent
- Integration with Trend Micro Products and Services
Getting Started with OfficeScan
- The Web Console
- The Dashboard
- The Server Migration Tool
  - Using the Server Migration Tool
- Active Directory Integration
  - Integrating Active Directory with OfficeScan
  - Synchronizing Data with Active Directory Domains
- The OfficeScan Agent Tree
- OfficeScan Domains
  - Agent Grouping
Getting Started with Data Protection
- Data Protection Installation
  - Installing Data Protection
- Data Protection License
  - Activating the Plug-in Program License
  - Viewing and Renewing the License Information
- Deployment of Data Protection to OfficeScan Agents
  - Deploying the Data Protection Module to OfficeScan Agents
- Forensic Folder and DLP Database
  - Modifying the Forensic Folder and Database Settings
  - Creating a Backup of Forensic Data
- Uninstalling Data Protection
  - Uninstalling Data Protection from Plug-in Manager
Using Trend Micro Smart Protection
- About Trend Micro Smart Protection
  - The Need for a New Solution
- Smart Protection Services
- Smart Protection Sources
- Smart Protection Pattern Files
- Setting Up Smart Protection Services
- Using Smart Protection Services
Installing the OfficeScan Agent
- OfficeScan Agent Fresh Installations
- Installation Considerations
  - OfficeScan Agent Features
  - OfficeScan Agent Installation and IPv6 Support
- Deployment Considerations
- Migrating to the OfficeScan Agent
  - Migrating from Other Endpoint Security Software
    - OfficeScan Agent Migration Issues
  - Migrating from ServerProtect Normal Servers
    - Using the ServerProtect Normal Server Migration Tool
- Post-installation
- OfficeScan Agent Uninstallation
Keeping Protection Up-to-Date
- OfficeScan Components and Programs
- Update Overview
  - OfficeScan Server and OfficeScan Agent Update
  - Smart Protection Source Update
- OfficeScan Server Updates
- Integrated Smart Protection Server Updates
- OfficeScan Agent Updates
- Update Agents
- Component Update Summary
  - Update Status for OfficeScan Agents
  - Components
Scanning for Security Risks
- About Security Risks
  - Viruses and Malware
  - Spyware and Grayware
- Scan Method Types
- Scan Types
- Settings Common to All Scan Types
- Scan Privileges and Other Settings
- Global Scan Settings
  - Configuring Global Scan Settings
    - Scan Settings Section
    - Scheduled Scan Settings Section
- Security Risk Notifications
- Security Risk Logs
- Security Risk Outbreaks
Protecting Against Unknown Threats
- Predictive Machine Learning
  - Configuring Predictive Machine Learning Settings
- Suspicious Connection Service
  - Configuring Global User-defined IP List Settings
  - Configuring Suspicious Connection Settings
- Sample Submission
  - Configuring Sample Submission
- Unknown Threat Logs
Using Behavior Monitoring
- Behavior Monitoring
- Configuring Global Behavior Monitoring Settings
- Behavior Monitoring Privileges
  - Granting Behavior Monitoring Privileges
- Behavior Monitoring Notifications for OfficeScan Agent Users
  - Enabling the Sending of Notification Messages
  - Modifying the Content of the Notification Message
- Behavior Monitoring Logs
  - Viewing Behavior Monitoring Logs
  - Configuring the Behavior Monitoring Log Sending Schedule
Using Device Control
- Device Control
- Permissions for Storage Devices
  - Advanced Permissions for Storage Devices
    - Specifying a Digital Signature Provider
    - Specifying a Program Path and Name
- Permissions for Non-storage Devices
- Managing Access to External Devices (Data Protection Activated)
- Managing Access to External Devices (Data Protection Not Activated)
  - Adding Programs to the Device Control Lists Using ofcscan.ini
- Modifying Device Control Notifications
- Device Control Logs
  - Viewing Device Control Logs
Using Data Loss Prevention
- About Data Loss Prevention (DLP)
- Data Loss Prevention Policies
  - Policy Configuration
- Data Identifier Types
- Data Loss Prevention Templates
  - Predefined DLP Templates
  - Customized DLP Templates
- DLP Channels
- Data Loss Prevention Actions
- Data Loss Prevention Exceptions
  - Defining Non-monitored and Monitored Targets
  - Decompression Rules
- Data Loss Prevention Policy Configuration
- Data Loss Prevention Notifications
  - Data Loss Prevention Notifications for Administrators
    - Configuring Data Loss Prevention Notification for Administrators
  - Data Loss Prevention Notifications for Agent Users
    - Configuring Data Loss Prevention Notification for Agents
- Data Loss Prevention Logs
  - Viewing Data Loss Prevention Logs
    - Processes by Channel
    - Data Loss Prevention Log Details
  - Enabling Debug Logging for the Data Protection Module
Using Web Reputation
- About Web Threats
- Command & Control Contact Alert Services
- Web Reputation
- Web Reputation Policies
  - Configuring a Web Reputation Policy
- Web Threat Notifications for Agent Users
  - Enabling the Web Threat Notification Message
  - Modifying the Web Threat Notifications
- C&C Callback Notifications for Administrators
  - Configuring C&C Callback Notifications for Administrators
- C&C Contact Alert Notifications for Agent Users
  - Enabling the C&C Callback Notification Message
  - Modifying the C&C Callback Notifications
- C&C Callback Outbreaks
  - Configuring the C&C Callback Outbreak Criteria and Notifications
- Web Threat Logs
  - Viewing Web Reputation Logs
  - Viewing C&C Callback Logs
Using the OfficeScan Firewall
- About the OfficeScan Firewall
- Enabling or Disabling the OfficeScan Firewall
  - Enabling or Disabling the OfficeScan Firewall on Selected Endpoints
  - Enabling or Disabling the OfficeScan Firewall on All Endpoints
- Firewall Policies and Profiles
  - Firewall Policies
  - Firewall Profiles
    - Configuring the Firewall Profile List
    - Adding and Editing a Firewall Profile
      - Adding a Firewall Profile
      - Modifying a Firewall Profile
- Firewall Privileges
  - Granting Firewall Privileges
- Global Firewall Settings
  - Configuring Global Firewall Settings
- Firewall Violation Notifications for OfficeScan Agent Users
  - Granting Users the Privilege to Enable/Disable the Notification Message
  - Modifying the Content of the Firewall Notification Message
- Firewall Logs
  - Viewing Firewall Logs
- Firewall Violation Outbreaks
  - Configuring the Firewall Violation Outbreak Criteria and Notifications
- Testing the OfficeScan Firewall
Managing the OfficeScan Server
- Role-based Administration
- Trend Micro Control Manager
- Suspicious Object List Settings
  - Configuring Suspicious Object List Settings
- Reference Servers
  - Managing the Reference Server List
- Administrator Notification Settings
  - Configuring General Notification Settings
- System Event Logs
  - Viewing System Event Logs
- Log Management
  - Log Maintenance
    - Deleting Logs Based on a Schedule
    - Manually Deleting Logs
- Licenses
  - Viewing Product License Information
  - Activating or Renewing a License
- OfficeScan Database Backup
  - Backing up the OfficeScan Database
  - Restoring the Database Backup Files
- SQL Server Migration Tool
  - Using the SQL Server Migration Tool
  - Configuring the SQL Database Unavailable Alert
- OfficeScan Web Server/Agent Connection Settings
  - Configuring Connection Settings
- Server-Agent Communication
  - Authentication of Server-initiated Communications
    - Configuring Authentication of Server-initiated Communications
    - Using Authentication Certificate Manager
  - Enhanced Encryption of Server-Agent Communication
- Web Console Password
- Web Console Settings
  - Configuring Web Console Settings
- Quarantine Manager
  - Configuring Quarantine Directory Settings
- Server Tuner
  - Running Server Tuner
- Smart Feedback
  - Participating in the Smart Feedback Program
Managing the OfficeScan Agent
- Endpoint Location
- OfficeScan Agent Program Management
- Agent-Server Connection
- OfficeScan Agent Proxy Settings
- Viewing OfficeScan Agent Information
- Importing and Exporting Agent Settings
  - Exporting Agent Settings
  - Importing Agent Settings
- Security Compliance
- Trend Micro Virtual Desktop Support
- Global Agent Settings
- Configuring Agent Privileges and Other Settings
Protecting Off-premises Agents
- Edge Relay Server
- Edge Relay Server System Requirements
- Installing the Edge Relay Server
- Connecting to the Edge Relay Server
- Managing the Edge Relay Server Connection
- Managing Edge Relay Server Certificates
Using Plug-in Manager
- About Plug-in Manager
  - Plug-in Program Agents on Endpoints
  - Widgets
- Plug-in Manager Installation
  - Performing Post-installation Tasks
- Native OfficeScan Feature Management
- Managing Plug-in Programs
- Uninstalling Plug-in Manager
- Troubleshooting Plug-in Manager
Troubleshooting Resources
- Support Intelligence System
- Case Diagnostic Tool
- Trend Micro Performance Tuning Tool
- OfficeScan Server Logs
- OfficeScan Agent Logs
Technical Support
- Troubleshooting Resources
  - Using the Support Portal
  - Threat Encyclopedia
- Contacting Trend Micro
  - Speeding Up the Support Call
- Sending Suspicious Content to Trend Micro
- Other Resources
  - Download Center
  - Documentation Feedback
IPv6 Support in OfficeScan
- IPv6 Support for OfficeScan Server and Agents
- Configuring IPv6 Addresses
- Screens That Display IP Addresses
Windows Server Core Support
- Windows Server Core Support
- Installation Methods for Windows Server Core
  - Installing the OfficeScan Agent Using Login Script Setup
  - Installing the OfficeScan Agent Using the OfficeScan Agent Package
- OfficeScan Agent Features on Windows Server Core
- Windows Server Core Commands
Windows 8/8.1/10 and Windows Server 2012/2016 Support
- About Windows 8/8.1/10 and Windows Server 2012/2016
- OfficeScan Feature Support by UI Mode
- Internet Explorer 10/11 and Microsoft Edge
OfficeScan Rollback
- Rolling Back the OfficeScan Server and OfficeScan Agents Using the Server Backup Package
  - Rolling Back the OfficeScan Agents
  - Restoring the Previous OfficeScan Server Version
Glossary
- ActiveUpdate
- Compressed File
- Cookie
- Denial of Service Attack
- DHCP
- DNS
- Domain Name
- Dynamic IP Address
- ESMTP
- End User License Agreement
- False Positive
- FTP
- GeneriClean
- Hot Fix
- HTTP
- HTTPS
- ICMP
- IntelliScan
- IntelliTrap
- IP
- Java File
- LDAP
- Listening Port
- MCP Agent
- Mixed Threat Attack
- NAT
- NetBIOS
- One-way Communication
- Patch
- Phish Attack
- Ping
- POP3
- Proxy Server
- RPC
- Security Patch
- Service Pack
- SMTP
- SNMP
- SNMP Trap
- SSL
- SSL Certificate
- TCP
- Telnet
- Trojan Port
- Trusted Port
  - Determining the Trusted Ports
- Two-way Communication
- UDP
- Uncleanable Files
  - Files Infected with Trojans

Configuring the C&C Callback Outbreak Criteria and Notifications

Go to Administration > Notifications > Outbreak.

On the Criteria tab, configure the following options:

Option	Description
Same compromised host	Select to define an outbreak based on the callback detections per endpoint
C&C risk level	Specify whether to trigger an outbreak on all C&C callbacks or only high risk sources
Action	Select from Any action, Logged, or Blocked
Detections	Indicate the required number of detections that defines an outbreak
Time Period	Indicate the number of hours that the number of detections must occur within

Tip:

Trend Micro recommends accepting the default values in this screen.

In the Email tab:

Go to the C&C Callbacks section.
Select Enable notification via email.
Specify the email recipients.

Accept or modify the default email subject and message. You can use token variables to represent data in the Subject and Message fields.

Table 1. Token Variables for C&C Callbacks Outbreak Notifications
Variable	Description
%C	Number of C&C callback logs
%T	Time period when the C&C callback logs accumulated

Select from the available additional C&C callback information to include in the email.

In the SNMP Trap tab:
1. Go to the C&C Callbacks section.
2. Select Enable notification via SNMP trap.
3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 1 for details.
In the NT Event Log tab:
1. Go to the C&C Callbacks section.
2. Select Enable notification via NT Event Log.
3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 1 for details.
Click Save.