Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

configuring risk tracer

  • 1.  configuring risk tracer

    Posted Nov 18, 2013 10:52 AM

    Hi,

    We are running SEPM on a windows 2003 server with version 11.0.6. we have the risk tracer enabled however when i try to pull the report the source IP addresses says 0.0.0.0 

    Is something missing?

    Help needed urgently.

    Thanks 



  • 2.  RE: configuring risk tracer

    Posted Nov 18, 2013 11:00 AM

    Do you also have NTP enabled (firewall) enabled?

    Is simple file sharing or file and printer sharing enabled as well?

    http://www.symantec.com/docs/TECH94526

    http://www.symantec.com/docs/TECH102539



  • 3.  RE: configuring risk tracer

    Trusted Advisor
    Posted Nov 18, 2013 11:03 AM

    Hello,

    Note that Windows File and Printer Sharing must be enabled in order for Risk Tracer to work.

    Check this Article:

    How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

    http://www.symantec.com/business/support/index?pag...

    The source IP address is populated when a remote attack happens to a client machine and it is configured by policy to use the "Risk Tracer" option.  Risk Tracer has a dependency with the Intrusion Prevention System's (IPS) feature of "Active Response".    Both options must be installed and configured correctly to track the remote attacking machine's IP address on the SEP clients.  The Symantec Endpoint Protection Manager (SEPM) server then receives the source IP address forwarded from the SEP client logs.  When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons. 

    • It could not be determined / masked
    • The risk was triggered locally and not by a remote machine.

    The source IP address received in the logs was a NULL value.  By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank

    check this link

    Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded

    http://www.symantec.com/business/support/index?page=content&id=TECH132755

    Hope that helps!!



  • 4.  RE: configuring risk tracer

    Posted Nov 18, 2013 12:20 PM

    Hi,

    The windows print and file sharing is already enabled.

    is the RU7 version 11.0.7 ?



  • 5.  RE: configuring risk tracer

    Posted Nov 18, 2013 12:26 PM

    And you have NTP installed and a policy applied?



  • 6.  RE: configuring risk tracer

    Posted Nov 18, 2013 01:07 PM

    actually I am not sure if I have NTP installed or if the policy is applied. I may need to open a case with Symantec for this.



  • 7.  RE: configuring risk tracer

    Trusted Advisor
    Posted Nov 18, 2013 01:07 PM

    Hello,

    When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons. 

    • It could not be determined / masked
    • The risk was triggered locally and not by a remote machine.

    The source IP address received in the logs was a NULL value.  By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank.

    Check this link -

    Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded

    http://www.symantec.com/business/support/index?page=content&id=TECH132755

    Here are few quick points to have the Risk Tracer running properly - 

    • Risk Tracer relies upon Windows File and Printer Sharing. If this is disabled (as per Microsoft KB article 199346, http://support.microsoft.com/kb/199346), Risk Tracer will not work.
    • Risk Tracer works with Windows XP, Windows 2003, Windows 7 and other Windows operating systems.  It is not inherently limited to Windows XP.
    • The SEP client Network Threat Protection (NTP) feature must be installed for Risk Tracer to function fully.

    Hope that helps!!



  • 8.  RE: configuring risk tracer

    Posted Nov 18, 2013 01:09 PM

    If you open the SEP GUI. do you see NTP installed? Also, you can check via the SEPM as it will show in there as well



  • 9.  RE: configuring risk tracer

    Posted Nov 19, 2013 02:01 AM

    Hi

    Please refer the link below

    http://www.symantec.com/business/support/index?page=content&id=TECH102539&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1384844398189eajIDm3TVGgcaH57H8o9sqrS0fa52lIs6311j

    Regards

     



  • 10.  RE: configuring risk tracer

    Posted Nov 19, 2013 04:16 AM

    Hello,

    The NTP is required for the risk tracer to block the source of the infection, it is not required to identify it, i.e. its absence is not the cause of the 0.0.0.0.

    Have also a look at the Risk Tracer logs.

    For SEP 12.1 the raw logs can be found under the following path:

    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Logs\AV



  • 11.  RE: configuring risk tracer

    Posted Nov 19, 2013 10:00 AM

    Hi carolin,

    Risk Tracer is helpful, but there are also other ways to identify which computers in the network are infected.  For one example, please see:

    Two Reasons why IPS is a "Must Have" for your Network
    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

    Also: SEP 11 has only a few weeks until it reaches its End of Limited Support.  Upgrade to SEP 12.1!

    Hope this helps!

    Mick