Interpreting C&C Callback Notifications
The C&C Callback notifications that unit admins receive by email can be somewhat misleading and lead one to believe that one of their endpoints is compromised when that may not be the case.
This stems from Trend’s use of the term “Compromised Host”, when this is not always the machine that needs attention.
Compromised Host: **********
IP Address: ***.***.***.***
Domain: ***\*******\
Date/Time: 10/23/2017 10:48:46
Callback address: ***.***.***.***
C&C risk level: Dangerous
C&C list source: Relevance Rule
Action: Blocked
The best way to get clarification is to look at the “Suspicious Connection” logs for the “Compromised Host”………..
We can see from this log that the “Compromised Host” was actually blocking an incoming attempt from a remote IP. The “Callback address” in the email corresponds to the “Remote IP” in the log. In this particular example, we are looking at our endpoint’s OfficeScan agent blocking an attempt from a machine that has not had the MS17-010 patch applied.
This is not to say these alerts should be ignored, the traffic direction in the log could be “outgoing”, or the result may be listed as “Logged”, both of which need attention. If direction is outgoing, you can look at the contents of the “Process” column to track down the source. If the result is listed as logged, you can adjust the “Suspicious Connection” settings in your profile to block C&C connections. The default setting is to block C&C connections.