IP address Information are not updated in SEP 12.1 Logs/Risk
Created: 20 Mar 2013 | Updated: 21 Mar 2013 | 9 comments
This issue has been solved. See solution.
Hi All
Good day...
We are using Sep 12.1 RU1 MP1 on a windows Architecture,
Today we have experienced an issue with one of the network virus come via OWA. And SEP client blocked the same successfully.
From the risk log I am not able to see the Source Computer Name / Source (Computer IP Source Computer IP‘s entry is 0.0.0.0).
Where I can get the full details? Where is the origination of the virus / attack?
SEP detected the virus as Trojan.Zbot.
Can anyone guide what can the possibilities to find the root of virus?
Regards
Ajin
Operating Systems:
Discussion Filed Under:
Comments 9 Comments • Jump to latest comment
enable risk tracer
How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Hi Rafeeq,
Yes Risk tracer is already enabled.
Is it so what can be the cause?
Regards
Ajin
is rist tracer enabled?
if yes, file sharing or file and printer shraing enabled?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Hi Pete,
Thanks for your response.
We already enabled Risk tracer. Yes the file sharing is enabled.
And I believe that it cannot tell the remote ip's since we got the same via an e-mail attachment.
Regards
Ajin
yes, if its email. It's local machine.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Hi Pete,
Any possibility to know Origination of the Virus by our Lab Team if i share the records/ email.
Regards
Ajin
Risk Tracer identifies network share-based virus infections. If the infection is local than it is going to show 0.0.0.0 for the local address.
Now with a worm such as Conficker, you would see the remote IP of the attacking system in the logs.
Zbot is not a worm, it is trojan which works locally on the machine and doesn't spread to other machines.
You need to look at the infected machines browsing history, downloads, etc.
Risk Tracer does not even factor in the case you just outlined above.
SEP Knowledge Base
Endpoint SWAT
Hi Brian,
Thanks for the response.
We got the infection via OWA. And it is blocked by auto protect. And we would like to know from where it been added to our Mail's
Regards
Ajin
if its through emai, can you check the sender?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Would you like to reply?
Login or Register to post your comment.