Endpoint Protection

We have enabled risk tracer, and it can detect source IP before. but recently, we cannot see source IP in risk log. Is it because the risk file was uploaded before installing SEP ?The virus file was cleaned by deletion. How can I know the created time of this virus file if it is deleted by SEP ?

version 12.1.2015.2015

If the infection was local than you wont see the remote host. The deletion timestamp should indicate when the virus attack was attempted.

"attempted" means when the file is accessed? When auto protection detected the virus, does it mean the virus file is being accessed at that time? would you please advise if the file is copied to the SEP client before we installed SEP. Otherwise, there should be source of infection.

If the attempt was local, meaning user plugged in an infected USB drive or unknowingly downloaded a bad file than the source in the log would be local, you wouldn't see a remote source. If the machine was infected before SEP was installed, the infection would still be considered local to the machine.

understood, thanks. Then is there any log record the properties of the virus file? like created time and file size or...

can you post the screenshot?

 

You can see what Risk log shows in the SEPM, that usually shows a great deal of info

Hi yes, I can see the file size, but still cannot see the created time of the file.

Hello,

I am afraid, it that piece of information is not there, then it is lost.