Video Screencast Help

what is the difference between "top sources of attack" and "risk distribution by attacker" ?

Created: 27 Jun 2009 • Updated: 21 May 2010 | 5 comments
This issue has been solved. See solution.

what is the difference between "top sources of attack" and "risk distribution by attacker" ? Which one is the actual source of virus/attacks ? which IP to trace for virus as both giving different iP addresses .
imagebrowser image

imagebrowser image

Discussion Filed Under:

Comments 5 CommentsJump to latest comment

Aniket Amdekar's picture

Hi,

Here is the information you have requested:

Risk Distribution by Attacker:  [Used for tracing Viruses]

Give the amount of remote virus attack done on the Symantec Endpoint Protection client group by atttacker (source of the attack).
SEP client uses the Risk Tracer technology to determine remote attack such a network share-based virus infections.

top sources of attack [Used for tracing Network Attacks]

It can have information about the MAC spoofing attempts. Reverse DNS Lookups, TCP Resequencing attacks.

Cheers,
Aniket

Prashant Bharadwaj's picture

Bijan,

Aniket is right, but complicated a little.

I am just trying to put the same in more simple words,

Risk Distribution by Attackers is nothing but the count of viruses and spywares detected in your network. Don't get confused by the word source of attacker as someone outside your network. In other words, count of all risks logged by Antivirus and Antispyware engine for any given IP address/computer.

Top sources of attacks is basically the count of suspicious network activities (can be as simple as sending information through an open port or spreads trojans to other computers within the network). In this case it's the count of denials logged by Network Threat Protection for any given IP address.

Prashant Bharadwaj, CEH, MCTS Windows Server 2008 Active Directory, Configuration, SCS Symantec Endpoint Protection 11.0

pete_4u2002's picture

hi,
analyze first the IP's as the source of attack. Check for Virus definition, AV feature working properly, microsoft patches applied.

then based on the outcome, you may need to block. Many a times, missing microsoft patches causes the issue. Though the SEP is blocking the attack.

cheers
Pete

Aniket Amdekar's picture

When you have a virus outbreak in yout network, some infected machiens will try to infect other machines in the network. Risk tracer is a utility with which you can track down these network infecting machines.

Similarly, when a Worm is present on the network, it will try to attack oher machines. Firewall/IPS will stop that and send that info to SEPM.

So.....if you are dealing with Virus Outbreak, check the Risk Distribution and block the most active IP's.

The Top Sources of attack will tell you which workstations in your network are performing network attacks on other machines.

Cheers,
Aniket

SOLUTION