Endpoint Protection

Hi,

i had sent the report of new risk detected in the network from symantec endpoint manager console..my boss is asking for sorce of the virus or risk.how to find where that virus come from..

any suggestions??

Based on the report you have, it will not show you the source of the attack [but it tells you which machines have what]
Best to check in SEPM -> Monitor -> Risk distribution by Attacker.

If you have Risk tracer enabled, that area will be populated with the IP address of the bad machines.

Detail in http://www.symantec.com/business/support/index?page=content&id=TECH102539

Hi,

There is no report like that??

Enable risk tracer, then you will get to know the source.

There is one.

http://www.symantec.com/business/support/index?page=content&id=TECH95542

Hi,

Enabling risk tracer will do the same function by showing the system name only..whether there is any way to show the file path where the risk found?

When you know the source computer you have to check the threat on the system. For this you may get help from Symantec to identify the suspicious files.

Hello,

Yes, Simple.

Turn on the Risk Tracer from the SEPM and get the details from Risk Logs. (Risk Logs could taken from SEPM and exported and Opened in Excel)

Here are the Links: 

1) About Risk Tracer

http://www.symantec.com/docs/HOWTO27137

2) What is Risk Tracer?

http://www.symantec.com/docs/TECH102539

3) How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

NOTE: For Risk Tracer to work Correctly, you would require Network Threat Protection Installed and Enabled on all machines.

Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the SEPM and hide many of the columns that do not relate to Risk Tracer.

Example: 
"Monitors Tab" on the left hand pane. 
"Logs" on the tab menu (Top of Screen)
"Log Type:" Risk
Default Filter
"View Log" button
Export Search Results.
Import into Excel.
Results below.

This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned. It is reportedly infecting other computers.

Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SAV or SEP client at the time the infection was detected, but there may have been other connections as well.  Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.

Hope that helps!!!

I just had this same issue today and within a couple of minutes Risk Tracer told me which computer was infecting everyone else. You do not need to export the whole thing. Just highlight one of the threats and hit details and the source computer and ip address will be right there. If there is no source or ip address, you won't have much recourse.

Hello,

Thank you mac!!! Thumbs up to your advice.

Incase, you are not receiving details or the name of the Source machine, NOTE: For Risk Tracer to work Correctly, you would require Network Threat Protection Installed and Enabled on all machines.

I tried enabling the risk tracer..but i have not getting any thing..i enabled network threat protection also as u told