Endpoint Protection

Hi

We have generated a report for top source of attack which I have attached here

I want to know in the report that "attack host" coloum is source of attack host or destination attack host

It it is source then who is destination host and it is destination then who is source host

Does anything critical in this report to take a action or this is a normal report

Regards

Attachment(s)

Report.rar   118 KB 1 version

Top Source attck means..that is the source only not destination

you may better scan those system to see any virus infections are there

HI,

Check this

http://www.symantec.com/connect/forums/top-sources-attack-report-sepm

http://www.symantec.com/connect/forums/what-difference-between-top-sources-attack-and-risk-distribution-attacker

if you want to find source you need to enable risk tracer

http://www.symantec.com/business/support/index?page=content&id=TECH102539

HI,

Refer below artical:-

http://www.symantec.com/docs/TECH102539

Hi,

Refer this book page 147.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_client_security/3.1/manuals/scsadmn.pdf

"Top source of attack" are the attacking hosts.

You can generate a report for the attacked hosts with "Top Targets Attacked".

Your SEP system has recognized a lot of Intrusion Prevention (IPS) events. You can check this more thoroughly with the SEPM logs: Monitors > Logs > Network Threat Protection > [Log Content] Attacks. Under "Advanced settings", you can limit the results to Intrusion Prevention events.

Hello,

I want to know in the report that "attack host" coloum is source of attack host or destination attack host

It it is source then who is destination host and it is destination then who is source host

Does anything critical in this report to take a action or this is a normal report

This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.

You use this report to identify which hosts attack your network most frequently.

https://www-secure.symantec.com/connect/forums/what-difference-between-top-sources-attack-and-risk-distribution-attacker

As per your report, the Host with IP 10.12.124.177 is responsible for the highest number of Attacks.

In fact, checking the Top 5 machines, those are -

10.5.24.161, 10.4.12.163, 10.4.13.56 and 10.3.33.34

Plan of Action:

1. Isolate the machine the Host with IP 10.12.124.177 from the network.
2. Update the system with latest Microsoft patches, SEP definition and other application patches.
3. Scan the system in safe mode.
4. Reconnect the machine to the network

​Secondly, work on the steps provided in the Article below:

Best practices for troubleshooting viruses on a network

http://www.symantec.com/docs/TECH122466

Security Best Practices for Protecting a Business Environment from Common Threats

http://www.symantec.com/docs/TECH105236

If that computer is isolated (taken off line) and still shows up in the reports, then this definitely sounds like old data/FP. You may wish to contact Support.  There are no known issues about old data showing up in that report- Support can help you investigate completely.

If that machine is taken out of the equation and stops appearing in the report, and then reappears when it has been added back to the network... it's probably a legitimate indication of continuing trouble on the computer. 

It may help to examine the logs of other computers on that one's subnet.... do they show continuing log entries about attempted intrusions coming from it?

(For new readers of this thread: the "Top Sources of Attack report" is used to identify which hosts attack your network most frequently. This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.  Some more info can be found on http://seer.entsupport.symantec.com/docs/323525.htm )