Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Risk Tracer

Created: 27 Jul 2013 | 6 comments

I have enabled risk tracer and sometimes there is source IP in the risk log, but sometimes it is blank. What's  the possible cause that SEP cannot find the source IP of the risk?

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

It's that local machine that's infected, there is no remote attacking pc.

Make sure you have the firewall and active response enabled as this is needed for risk tracer to work.

https://www-secure.symantec.com/connect/forums/ris...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AjinBabu's picture

Hi,

Risk Tracer

Risk Tracer identifies the source of network share-based virus infections on your client computers.

Note:

You can lock or unlock an option that includes the padlock icon next to it. When you lock an option, users on client computers cannot change the option.

Table: Risk Tracer options

Option

Description

Enable Risk Tracer

Enables or disables Risk Tracer

When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec Endpoint Protection service. Rtvscan determines if the infection originated locally or remotely.

Resolve the source computer IP address

If this option is disabled, the Symantec Endpoint Protection client looks up and records only the computer's NetBIOS name. If this option is enabled, the client tries to get an IP address for the known NetBIOS name.

If the infection came from a remote computer, Rtvscan can do the following actions:

·         Look up and record the computer's NetBIOS computer name and its IP address.

·         Look up and record who was logged on to the computer at delivery time.

·         Display the information in the Risk properties dialog box.

This feature is supported on Windows XP systems only.

Poll for network sessions every <number> milliseconds

Enables or disables polling for network sessions

The client polls one time every second (1000 milliseconds) by default.

Lower values use greater amounts of CPU and memory. Lower values also increase the possibility that the client can record the network session information before the threat can turn off network shares.

Higher values decrease system overhead, but also decrease Risk Tracer's ability to detect the source of the infections.

Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. You can configure this information in the Auto-Protect Advanced Options dialog box.

Risk Tracer information appears in the Risk Properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the local host activity caused an infection, it lists the source as the local host.

Risk Tracer lists a source as unknown when the following conditions are true:

·         It cannot identify the remote computer.

·         The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.

You can record the full list of multiple remote computers that currently infect the local computer. Set the HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\ProductControl\Debug string value to "THREATTRACER X" on the local client computer. The THREATTRACER value turns on the debug output and the X ensures that only the debug output for Risk Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW.

If you want to experiment with this feature, use the test virus file Eicar.com available from the following URL:

www.eicar.org

Regards

Ajin

Mithun Sanghavi's picture

Hello,

Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect. 

Risk Tracer requires Network Threat Protection and IPS to be installed and IPS Active Response to be enabled.

Check these Articles:

What is Risk Tracer?

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

Some additional notes ....
  • Risk Tracer relies upon Windows File and Printer Sharing. If this is disabled (as per MS Article 199346, http://support.microsoft.com/kb/199346) Risk Tracer will not work.
  • Risk Tracer works with Windows XP, Windows 2003, Windows 7 and other Windows OS's.  It is not inherently limited to Windows XP.
  • The SEP client Network Threat Protection (NTP) feature must be installed for Risk Tracer to function fully.
  • Risk Tracer may be disabled in order to reduce SEP's performance impact on an overburdened computer.
Hope that helps!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SymQNA's picture

Hi pete_4u2002
FileSharing is enabled and the virus were found on a share folder

Hi Brian81

As we tested, Risk Tracer works without firewall and active response enabled, even it is required in Symantec's official articles.

Refer to pete_4u2002's update in https://www-secure.symantec.com/connect/forums/risk-tracer-report-0 , may I know if the virus were found after it is infected, no when the remote attack happen?