Requirements for the Risk Tracer Feature
Updated: 22 May 2010 | 9 comments
We have "checked" the Risk Tracer policy under our SSC and SEPM console. However, Source IP in the Risk History logs is showing "0.0.0.0" and not the IP address of the source of infection.
Besides activating this feature on the policy console, is there other settings that needs to be in place before the Risk Tracer feature can work?
discussion Filed Under:
Comments
Risk Tracer
Hi,
Worms and threats that spread across networks by network shares have become more common in recent years. Risk Tracer is an optional feature in SAV 10.1/SCS 3.1 and in SEP 11 that records information
on what network source a threat has come from so that the root of the outbreak can be easily identified and fixed. Risk Tracer was introduced in SAV 10.1/SCS 3.1.
Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the SEPM and hide many of the columns that do not relate to Risk Tracer.
Example:
"Monitors Tab" on the left hand pane.
"Logs" on the tab menu (Top of Screen)
"Log Type:" Risk
Default Filter
"View Log" button
Export Search Results.
Import into Excel.
Results below.
Event Computer Name Source Source Computer Name Source Computer IP
Virus Found TEST-130 Auto-Protect scan TEST-01 10.14.3.13
Virus Found TEST-055 Auto-Protect scan TEST-01 10.14.3.13
Virus Found TEST-065 Auto-Protect scan TEST-01 10.14.3.13
This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned. It is reportedly infecting other computers.
Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SAV or SEP client at the time the infection was detected, but there may have been other connections as well.
Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.
http://service1.symantec.com/SUPPORT/ent-security....
Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect.
To view the top machines that are attacking other machines in your environment discovered by Autoprotect and located by way of Risk Tracer in the Symantec Endpoint Protection Manager go to the Monitors page and view the "Risk Distribution by Attacker" chart.
More details on a specific threat can be found at :
Monitors->Logs Tab->Log type : Risk and click on View Log. Then select the particular risk you wish to view more information about and click the Details hyperlink at the top of the page.
http://service1.symantec.com/SUPPORT/ent-security....
Thanks & Regards Sandip C Sali
I'm not asking what is Risk
I'm not asking what is Risk Tracer.
I know what is Risk Tracer, and we have it enabled in both our SSC Console (for SAV10 clients) and SEPM Console (for SEP11 clients)
I'm asking if there are other settings that needs to be in place before the Risk Tracer feature can work. i.e Windows File and Printer Sharing must be enabled in order for Risk Tracer to work, and we already have this enabled.
Besides the below knowledge base article, Is there any official documentation from Symantec, that talks about the Risk Tracer requirements?
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448
i.e Does the client firewall
i.e Does the client firewall feature in SAV10 needs to be activated, in order for Risk Tracer to show the source computer?
Client Firewall not Needed
In SAV you dont need the Client Firewall installed to use the Risk Tracer, But in SEP u need NTP
There is no document other
There is no document other than the one mentioned by you or risk tracer.
Thanks & Regards Sandip C Sali
Hi
You must have tested this before.
http://www.upenn.edu/computing/virus/docs/sav_ce/101x/savinst.pdf
I dont think they need firewall to be activated.
in the above link go to page number 76, with your current configuration test the risk tracer. if it works then well and good (SAV)
For sep as the document suggest we need to have Firewall and Intrustion policy activated.
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Yes you need to have Network
Yes you need to have Network Threat Protection installed on the SEP client so that it can trace the IP address of the attacker similar on SCS you need to have Symantec Client firewall installed.
https://www-secure.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-yea-0
Risk Tracer is part of Antivirus component and the AV component does not have the ability to understand IP's and networks.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
I just want to ask if what
I just want to ask if what are the features installed on the SEP clients side?
:-)
@Vikram As i said earlier
@Vikram
As i said earlier, it is not required to have SCF to use risk tracer on SAV, Coz it does not depend on SCF. SCF is a seperate component.
For SEP as you said, we need NTP to use the Risk Tracer Feature.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448
Would you like to reply?
Login or Register to post your comment.