Hello,
Note that Windows File and Printer Sharing must be enabled in order for Risk Tracer to work.
Check this Article:
How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
http://www.symantec.com/business/support/index?pag...
The source IP address is populated when a remote attack happens to a client machine and it is configured by policy to use the "Risk Tracer" option. Risk Tracer has a dependency with the Intrusion Prevention System's (IPS) feature of "Active Response". Both options must be installed and configured correctly to track the remote attacking machine's IP address on the SEP clients. The Symantec Endpoint Protection Manager (SEPM) server then receives the source IP address forwarded from the SEP client logs. When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons.
- It could not be determined / masked
- The risk was triggered locally and not by a remote machine.
The source IP address received in the logs was a NULL value. By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank
check this link
Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded
http://www.symantec.com/business/support/index?page=content&id=TECH132755
Hope that helps!!