Configuring Suspicious Connection Settings

About this task

CPM can log all connections made between agents and addresses in the Global C&C IP list. The Suspicious Connection Settings screen also allows you to log, but still allow access to IP addresses configured in the User-defined Blocked IP List.

CPM can also monitor connections that may be the result of a botnet or other malware threat. After detecting a malware threat, CPM can attempt to clean the infection.

Procedure

  1. Go to Configuration > Suspicious Connection Settings.
  2. Check Log network connections made to addresses in the Global C&C IP list to monitor connections made to Trend Micro confirmed C&C servers.
    1. To allow agents to connect to addresses in the User-defined Blocked IP list, enable the Log and allow access to User-defined Blocked IP list addresses setting.
    2. To specify suspicious IP addresses to be monitored or allow access, click Edit User-defined IP list.
    3. To display the notification message at the user's side, check the option Display a notification when a C&C callback is detected.
      Note: You must deploy the task Core Protection Module > Enable Suspicious Connection Service before Core Protection Module can allow access to addresses in the User-defined Blocked IP list.
  3. Click Create Configuration Task to create and save a deployment task.
  4. Specify a task name and click OK to save the task.
  5. Select the created and saved task and click Take Action.
  6. Specify one or more target computers in the Target tab of the Take Action page.
  7. Click OK to start deploying the task.