An endpoint is classified as "infected" if traffic is observed between the host and a set of known command-and-control servers.