Command & Control Contact Alert Services

Trend Micro Command & Control (C&C) Contact Alert Services provides enhanced detection and alert capabilities to mitigate the damage caused by advanced persistent threats and targeted attacks. C&C Contact Alert Services are integrated with Web Reputation Services which determines the action taken on detected callback addresses based on the web reputation security level.

The C&C IP list further enhances C&C callback detections using the Network Content Inspection Engine to identify C&C contacts through any network channel.

For details on configuring the Web Reputation Services security level, see Configuring a Web Reputation Policy.

Table 1. C&C Contact Alert Services Features



Global Intelligence list

Trend Micro Smart Protection Network compiles the Global Intelligence list from sources all over the world and tests and evaluates the risk level of each C&C callback address. Web Reputation Services uses the Global Intelligence list in conjunction with the reputation scores for malicious websites to provide enhanced security against advanced threats. The web reputation security level determines the action taken on malicious websites or C&C servers based on assigned risk levels.

Virtual Analyzer list

Smart Protection Servers can integrate with Virtual Analyzer to obtain the Virtual Analyzer C&C server list. Virtual Analyzer evaluates potential risks in a secure environment and, through use of advanced heuristics and behavioral testing methods, assigns a risk level to the analyzed threats. The Virtual Analyzer populates the Virtual Analyzer list with any threat that attempts to connect to a possible C&C server. The Virtual Analyzer list is highly company-specific and provides a more customized defense against targeted attacks.

Apex One retrieves the list from Virtual Analyzer and can evaluate all possible C&C threats against both the Global Intelligence and the local Virtual Analyzer list.

For details on connecting the Virtual Analyzer Suspicious Objects lists, see Configuring Suspicious Object List Settings.

Suspicious Connection Service

The Suspicious Connection Service manages the User-defined and Global IP C&C lists, and monitors the behavior of connections that endpoints make to potential C&C servers.

For details, see Suspicious Connection Service.

Administrator notifications

Administrators can choose to receive detailed and customizable notifications after detecting a C&C callback.

For details, see Configuring C&C Callback Notifications for Administrators.

Agent notifications

Administrators can choose to send detailed and customizable notifications to end users after detecting a C&C callback on an endpoint.

For details, see C&C Contact Alert Notifications for Agent Users.

Outbreak notifications

Administrators can customize outbreak notifications specific to C&C callback events and specify whether the outbreak occurs on a single endpoint or across the entire network.

For details, see C&C Callback Outbreaks.

C&C callback logs

Logs provide detailed information regarding all C&C callback events.

For details, see Viewing C&C Callback Logs.