How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

Article:TECH94526  |  Created: 2009-01-11  |  Updated: 2013-04-16  |  Article URL
Article Type
Technical Solution




How can you use SEP's optional Risk Tracer capabilities to locate infected machines that are attempting to spread a threat during an outbreak?

How can you view the information Risk Tracer has gathered to show the top machines that are attacking other machines in your environment?



Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect.  To function fully, Risk Tracer requires Network Threat Protection (NTP) and IPS to be installed and IPS Active Response to be enabled.
[Please see What is Risk Tracer? for more information.]

To view the top machines that are attacking other machines in your environment discovered by Auto-Protect and located by way of Risk Tracer, open the Symantec Endpoint Protection Manager (SEPM) and go to the Monitors page.  View the "Risk Distribution by Attacker" chart under "Summary" which should show the IP addresses of the risk attackers.


More details on a specific threat can be found at :
Monitors->Logs Tab->Log type : Risk and click on View Log. Then select the particular risk you wish to view more information about and click the Details hyperlink at the top of the page.


How to enable Risk Tracer in SEPM 12.1

  • Log in to SEPM.
  • Click on Policies tab.
  • Right click on Anti Virus and Anti Spyware Policy and click Edit.
  • Click on Auto Protect.
  • Click on the Advanced Tab and Click on Risk Tracer under Additional Options.
  • Put a check mark in Enable Risk Tracer and then click OK.

Technical Information
After Risk Tracer is enabled in SEP 11.0 Client, Risk Tracer log files can be collected from following directory paths:

  • Windows 2003 Server, Windows XP : C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\
  • Windows 7 : C:\Users\All Users\Symantec\Symantec Endpoint Protection\Logs\ 
  • Windows 2008 Server: C:\ProgramData\Symantec\Symantec Endpoint Protection\Logs\

For SEP 12.1 the raw logs can be found under the following path:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Logs\AV


If an outbreak is underway, administrators seeking to identify suspicious computers and files are also encouraged to examine the SEPM's SONAR reports.  Detailed tips can be found in the Connect article Using SEPM Alerts and Reports to Combat a Malware Outbreak.  


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices