Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

IP address Information are not updated in SEP 12.1 Logs/Risk

Created: 20 Mar 2013 • Updated: 21 Mar 2013 | 9 comments
This issue has been solved. See solution.

Hi All

Good day...

We are using Sep 12.1 RU1 MP1 on a windows Architecture,

Today we have experienced an issue with one of the network virus come via OWA. And SEP client blocked the same successfully.

From the risk log I am not able to see the Source Computer Name / Source (Computer IP Source Computer IP‘s entry is 0.0.0.0).

Where I can get the full details? Where is the origination of the virus / attack?

SEP detected the virus as Trojan.Zbot.

Can anyone guide what can the possibilities to find the root of virus?

Regards

Ajin

Operating Systems:

Comments 9 CommentsJump to latest comment

Rafeeq's picture

enable risk tracer

 

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH94526
AjinBabu's picture

Hi Rafeeq,

Yes Risk tracer is already enabled.

Is it so what can be the cause?

Regards

Ajin

pete_4u2002's picture

is rist tracer enabled?

if yes, file sharing or file and printer shraing enabled?

AjinBabu's picture

Hi Pete,

Thanks for your response.

We already enabled Risk tracer. Yes the file sharing is enabled.

And I believe that it cannot tell the remote ip's since we got the same via an e-mail attachment.

Regards

Ajin

SOLUTION
AjinBabu's picture

Hi Pete,

Any possibility to know Origination of the Virus by our Lab Team if i share the records/ email.

Regards

Ajin

.Brian's picture

Risk Tracer identifies network share-based virus infections. If the infection is local than it is going to show 0.0.0.0 for the local address.

Now with a worm such as Conficker, you would see the remote IP of the attacking system in the logs.

Zbot is not a worm, it is trojan which works locally on the machine and doesn't spread to other machines.

You need to look at the infected machines browsing history, downloads, etc.

Risk Tracer does not even factor in the case you just outlined above.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AjinBabu's picture

Hi Brian,

Thanks for the response.

We got the infection via OWA. And it is blocked by auto protect. And we would like to know from where it been added to our Mail's

Regards

Ajin