Video Screencast Help

configuring risk tracer

Created: 18 Nov 2013 | 10 comments

Hi,

We are running SEPM on a windows 2003 server with version 11.0.6. we have the risk tracer enabled however when i try to pull the report the source IP addresses says 0.0.0.0 

Is something missing?

Help needed urgently.

Thanks 

Operating Systems:

Comments 10 CommentsJump to latest comment

.Brian's picture

Do you also have NTP enabled (firewall) enabled?

Is simple file sharing or file and printer sharing enabled as well?

http://www.symantec.com/docs/TECH94526

http://www.symantec.com/docs/TECH102539

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Note that Windows File and Printer Sharing must be enabled in order for Risk Tracer to work.

Check this Article:

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?pag...

The source IP address is populated when a remote attack happens to a client machine and it is configured by policy to use the "Risk Tracer" option.  Risk Tracer has a dependency with the Intrusion Prevention System's (IPS) feature of "Active Response".    Both options must be installed and configured correctly to track the remote attacking machine's IP address on the SEP clients.  The Symantec Endpoint Protection Manager (SEPM) server then receives the source IP address forwarded from the SEP client logs.  When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons. 

  • It could not be determined / masked
  • The risk was triggered locally and not by a remote machine.

The source IP address received in the logs was a NULL value.  By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank

check this link

Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded

http://www.symantec.com/business/support/index?page=content&id=TECH132755

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

carolin's picture

Hi,

The windows print and file sharing is already enabled.

is the RU7 version 11.0.7 ?

.Brian's picture

And you have NTP installed and a policy applied?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons. 

  • It could not be determined / masked
  • The risk was triggered locally and not by a remote machine.

The source IP address received in the logs was a NULL value.  By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank.

Check this link -

Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded

http://www.symantec.com/business/support/index?page=content&id=TECH132755

Here are few quick points to have the Risk Tracer running properly - 

  • Risk Tracer relies upon Windows File and Printer Sharing. If this is disabled (as per Microsoft KB article 199346, http://support.microsoft.com/kb/199346), Risk Tracer will not work.
  • Risk Tracer works with Windows XP, Windows 2003, Windows 7 and other Windows operating systems.  It is not inherently limited to Windows XP.
  • The SEP client Network Threat Protection (NTP) feature must be installed for Risk Tracer to function fully.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

carolin's picture

actually I am not sure if I have NTP installed or if the policy is applied. I may need to open a case with Symantec for this.

.Brian's picture

If you open the SEP GUI. do you see NTP installed? Also, you can check via the SEPM as it will show in there as well

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

Hello,

The NTP is required for the risk tracer to block the source of the infection, it is not required to identify it, i.e. its absence is not the cause of the 0.0.0.0.

Have also a look at the Risk Tracer logs.

For SEP 12.1 the raw logs can be found under the following path:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Logs\AV

Regards,

Giuseppe

Mick2009's picture

Hi carolin,

Risk Tracer is helpful, but there are also other ways to identify which computers in the network are infected.  For one example, please see:

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

Also: SEP 11 has only a few weeks until it reaches its End of Limited Support.  Upgrade to SEP 12.1!

Hope this helps!

Mick  

With thanks and best regards,

Mick