About Risk Tracer

Worms and threats that spread across networks by network shares have become more common in recent years. Risk Tracer is an optional feature in Symantec Endpoint Protection (SEP) that records information on what network source a threat has come from so that the root of the outbreak can be easily identified and fixed. 

Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the Symantec Endpoint Protection Manager (SEPM) and hide many of the columns that do not relate to Risk Tracer.
Example:
"Monitors Tab" on the left hand pane.
"Logs" on the tab menu (Top of Screen)
"Log Type:" Risk
Default Filter
"View Log" button
Export Search Results.
Import into Excel.
Results below.

 

This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned. It is reportedly infecting other computers.

Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SEP client at the time the infection was detected, but there may have been other connections as well.  Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.

Configuring Risk Tracer

In SEPM, Risk Tracer is configured on the Advanced tab of the File System Auto-Protect page of the Antivirus and Antispyware policy:

 

More Information about Risk Tracer

More information about Risk Tracer can be found in the Docs folder of the product CD.  The Administration Guide for Symantec™ Endpoint Protection and Symantec Network Access Control version 11.00.06.00.00 contains a section About Risk Tracer on page 434:

Risk Tracer identifies the source of network share-based virus infections on your client computers.

When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec Endpoint Protection service. Rtvscan determines if the infection originated locally or remotely.

If the infection came from a remote computer, Rtvscan can do the following actions:

• Look up and record the computer's NetBIOS computer name and its IP address.
• Look up and record who was logged on to the computer at delivery time.
• Display the information in the Risk properties dialog box.

Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. You can configure this information in the Auto-Protect Advanced Options dialog box.

Risk Tracer information appears in the Risk Properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the local host activity caused an infection, it lists the source as the local host.

Risk Tracer lists a source as unknown when the following conditions are true:

• It cannot identify the remote computer.
• The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.

You can record the full list of multiple remote computers that currently infect the local computer. Set the HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\ProductControl\Debug string value to “THREATTRACER X” on the local client computer. The THREATTRACER value turns on the debug output and the X ensures that only the debug output for Risk Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW.

Risk Tracer also includes an option to block the IP addresses of source computers. For this option to take effect, you must set the corresponding option in the Firewall Policy to enable this type of automatic blocking.

If you want to experiment with this feature, use the test virus file Eicar.com available from the following URL: www.eicar.org

 

The legacy Symantec™ Client Security Installation Guide version 3.1 contains a section on Testing Risk Tracer, beginning on page 85:
 

To test Risk Tracer, do the following:

On the client (for example, client A) that mounted the other client's shared directory (for example, client B), disable file system Auto-Protect. Insert the removable media that contains Eicar.com and copy the file to the shared directory on the other client (for example, client B). A virus notification alert appears. The following illustration shows this configuration.



When Risk History is later examined: locate the EICAR Test string threat, right-click the risk, click Properties, and then the source computer name is identified.

A few extra notes....

• Risk Tracer relies upon the Windows File and Printer Sharing. If this is disabled (as per MS Article 199346, http://support.microsoft.com/kb/199346) Risk Tracer will not work.
• Risk Tracer works with Windows XP, Windows 2003, Windows 7 and other Windows OS's.  It is not inherently limited to Windows XP.
• The SEP client Network Threat Protection (NTP) feature must be installed for Risk Tracer to function fully
• Risk Tracer may be disabled in order to reduce SEP's performance impact on an overburdened computer.
• The articles linked below offer additional information on using Risk Tracer.