About Risk Tracer

Article:HOWTO27137  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27137
Article Type
How To


About Risk Tracer

Risk Tracer identifies the source of network share-based virus infections on your client computers.

When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec Endpoint Protection service. Rtvscan determines if the infection originated locally or remotely.

If the infection came from a remote computer, Rtvscan can do the following actions:

  • Look up and record the computer's NetBIOS computer name and its IP address.

  • Look up and record who was logged on to the computer at delivery time.

  • Display the information in the Risk properties dialog box.

Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. You can configure this information in the Auto-Protect Advanced Options dialog box.

Risk Tracer information appears in the Risk Properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the local host activity caused an infection, it lists the source as the local host.

Risk Tracer lists a source as unknown when the following conditions are true:

  • It cannot identify the remote computer.

  • The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.

You can record the full list of multiple remote computers that currently infect the local computer. Set the HKEY_LOCAL_MACHINE\​Software\​Symantec\​Symantec Endpoint Protection\​AV\​ProductControl\​Debug string value to “THREATTRACER X” on the local client computer. The THREATTRACER value turns on the debug output and the X ensures that only the debug output for Risk Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW.

If you want to experiment with this feature, use the test virus file Eicar.com available from the following URL:


Risk Tracer also includes an option to block the IP addresses of source computers. For this option to take effect, you must set the corresponding option in the Firewall Policy to enable this type of automatic blocking.

See Configuring File System Auto-Protect for Windows clients.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO27137

Terms of use for this information are found in Legal Notices