Configuring Suspicious Connection Settings

Security Agents can log and block all connections made between endpoints and addresses in the Global C&C IP list. You can also log, but still allow access to, IP addresses configured in the User-defined Blocked IP List.

Security Agents can also monitor connections that may be the result of a botnet or other malware threat. After detecting a malware threat, Security Agents can attempt to clean the infection.

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon () to include all agents or select specific domains or agents.
  3. Click Settings > Suspicious Connection Settings.

    The Suspicious Connection Settings screen appears.

  4. Enable the Detect network connections made to addresses in the Global C&C IP list setting to monitor connections made to Trend Micro confirmed C&C servers and select to Log only or Block connections.

    • To allow agents to connect to addresses in the User-defined Blocked IP list, enable the Log and allow access to User-defined Blocked IP list addresses setting.

    Note:

    You must enable network connection logging before Security Agents can allow access to addresses in the User-defined Blocked IP list.

    For details about the Global C&C IP list, see Suspicious Connection Service.
  5. Enable the Detect connections using malware network fingerprinting setting and select to Log only or Block connections.

    Malware network fingerprinting performs pattern matching on packet headers. Security Agents log all connections made by packets with headers that match known malware threats using the Relevance Rule pattern.

    • To allow Security Agents to attempt to clean connections made to C&C servers, enable the Clean suspicious connections when a C&C callback is detected setting. Security Agents use GeneriClean to clean the malware threat and terminate the connection to the C&C server.

    Note:

    You must enable Log connections using malware network fingerprinting before Security Agents can attempt to clean the connections made to C&C servers detected by packet structure matching.

  6. If you selected domain(s) or agent(s) in the agent tree, click Save. If you clicked the root domain icon, choose from the following options:

    • Apply to All Agents: Applies settings to all existing agents and to any new agent added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings.

    • Apply to Future Domains Only: Applies settings only to agents added to future domains. This option will not apply settings to new agents added to an existing domain.

Parent topic: Suspicious Connection Service