Hello,
I want to know in the report that "attack host" coloum is source of attack host or destination attack host
It it is source then who is destination host and it is destination then who is source host
Does anything critical in this report to take a action or this is a normal report
This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
You use this report to identify which hosts attack your network most frequently.
https://www-secure.symantec.com/connect/forums/what-difference-between-top-sources-attack-and-risk-distribution-attacker
As per your report, the Host with IP 10.12.124.177 is responsible for the highest number of Attacks.
In fact, checking the Top 5 machines, those are -
10.5.24.161, 10.4.12.163, 10.4.13.56 and 10.3.33.34
Plan of Action:
- Isolate the machine the Host with IP 10.12.124.177 from the network.
- Update the system with latest Microsoft patches, SEP definition and other application patches.
- Scan the system in safe mode.
- Reconnect the machine to the network
Secondly, work on the steps provided in the Article below:
Best practices for troubleshooting viruses on a network
http://www.symantec.com/docs/TECH122466
Security Best Practices for Protecting a Business Environment from Common Threats
http://www.symantec.com/docs/TECH105236
If that computer is isolated (taken off line) and still shows up in the reports, then this definitely sounds like old data/FP. You may wish to contact Support. There are no known issues about old data showing up in that report- Support can help you investigate completely.
If that machine is taken out of the equation and stops appearing in the report, and then reappears when it has been added back to the network... it's probably a legitimate indication of continuing trouble on the computer.
It may help to examine the logs of other computers on that one's subnet.... do they show continuing log entries about attempted intrusions coming from it?
(For new readers of this thread: the "Top Sources of Attack report" is used to identify which hosts attack your network most frequently. This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks. Some more info can be found on http://seer.entsupport.symantec.com/docs/323525.htm )
Hope that helps!!