About Risk Tracer
|Article:HOWTO27137|||||Created: 2010-01-08|||||Updated: 2010-01-15|||||Article URL http://www.symantec.com/docs/HOWTO27137|
If the infection came from a remote computer, Rtvscan can do the following actions:
Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. You can configure this information in the Auto-Protect Advanced Options dialog box.
Risk Tracer information appears in the Risk Properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the local host activity caused an infection, it lists the source as the local host.
Risk Tracer lists a source as unknown when the following conditions are true:
The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.
You can record the full list of multiple remote computers that currently infect the local computer. Set the HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\ProductControl\Debug string value to “THREATTRACER X” on the local client computer. The THREATTRACER value turns on the debug output and the X ensures that only the debug output for Risk Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW.
Risk Tracer also includes an option to block the IP addresses of source computers. For this option to take effect, you must set the corresponding option in the Firewall Policy to enable this type of automatic blocking.
Article URL http://www.symantec.com/docs/HOWTO27137