Retro Scan is a cloud-based service that scans historical web access logs for callback attempts to C&C servers and other related activities in your network. Web access logs may include undetected and unblocked connections to C&C servers that have only recently been discovered. Examination of such logs is an important part of forensic investigations to determine if your network is affected by attacks.
Retro Scan stores the following log information in the Smart Protection Network:
IP addresses of endpoints monitored by Deep Discovery Inspector
URLs accessed by endpoints
GUID of Deep Discovery Inspector
Retro Scan then periodically scans the stored log entries to check for callback attempts to C&C servers in the following lists:
Trend Micro Global Intelligence list: Trend Micro compiles the list from multiple sources and evaluates the risk level of each C&C callback address. The C&C list is updated and delivered to enabled products daily.
User-defined list: Retro Scan can also scan logs against your own C&C server list. Addresses must be stored in a text file.
The Retro Scan screen in Deep Discovery Inspector only displays information for scans that use the Trend Micro Global Intelligence list.