Video Screencast Help

Using SEP, is it possible to trace a brand new virus to its point of origination?

Created: 20 Sep 2009 • Updated: 21 May 2010 | 7 comments

Just using a hypothetical example here, let's say the "blacksky virus" comes out and it is new code, if it starts to infect my network and it hits over 100+ machines, what I want to know is how to trace where it originally came from. I would like to be able trace the point of origination, how can this be done? Is this possible? What I am asking is to be able to have the ability to isolate the point of entry for threats.

Thank you.

Comments 7 CommentsJump to latest comment

Bijay.Swain's picture

Yes this can be possible.

Enable NTP.
In the antivirus and antispyware policy select filesystem autoprtect.In the advance tab click risk tracer .here select enable risk tracer .and select resolve the source computer ip adddress.

this will trace the ip address of the source . then you can see the logs in "Monitor" select "risk" as log type.
chose advance  and select  the settings as per your needs and analyze the logs to find the source.

P_K_'s picture

When the NTP and PTP is installed along with AV and AVS we have extra logging .We have the

1. packet log
2. System Log
3. Traffic Log
3. Threat Log

The combination of all these will help us to find the origin

Threat log (PTP)  has the information:

risk.jpg

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

The Conquistador's picture

I can see how it is done on the client, but I would like a central location on the server to tell me.

Thank you.

P_K_'s picture

This link  shows how to set that in SEPM

What is Risk Tracer?
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

P_K_'s picture

Title: 'What is Risk Tracer?'
Document ID: 2007092711352448
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007092711352448?Open&seg=ent

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

The Conquistador's picture

But there are a considerable amount of optiions, what I want to do, is run what was a "risk history" in SAV on SEP.