This issue has been solved.

what is the difference between "top sources of attack" and "risk distribution by attacker" ?

Created: 27 Jun 2009 • Updated: 21 May 2010
Login to vote
0 0 Votes

what is the difference between "top sources of attack" and "risk distribution by attacker" ? Which one is the actual source of virus/attacks ? which IP to trace for virus as both giving different iP addresses .
View Inline Image

View Inline Image

Quick Look Solution

When you have a virus

When you have a virus outbreak in yout network, some infected machiens will try to infect other machines in the network. Risk tracer is a utility with which you can track down these network infecting machines.

Similarly, when a Worm is present on the network, it will try to attack oher machines. Firewall/IPS will stop that and send that info to SEPM.

So.....if you are dealing with Virus Outbreak, check the Risk Distribution and block the most active IP's.

The Top Sources of attack will tell you which workstations in your network are performing network attacks on other machines.

Cheers,
Aniket

Filed Under

Comments

01
Jul
2009

Hi, Here is the information

Hi,

Here is the information you have requested:

Risk Distribution by Attacker:  [Used for tracing Viruses]

Give the amount of remote virus attack done on the Symantec Endpoint Protection client group by atttacker (source of the attack).
SEP client uses the Risk Tracer technology to determine remote attack such a network share-based virus infections.

top sources of attack [Used for tracing Network Attacks]

It can have information about the MAC spoofing attempts. Reverse DNS Lookups, TCP Resequencing attacks.

Cheers,
Aniket

Prashant Bharadwaj's picture
Prashant Bharadwaj
Symantec Employee
01
Jul
2009

Bijan, Aniket is right, but

Bijan,

Aniket is right, but complicated a little.

I am just trying to put the same in more simple words,

Risk Distribution by Attackers is nothing but the count of viruses and spywares detected in your network. Don't get confused by the word source of attacker as someone outside your network. In other words, count of all risks logged by Antivirus and Antispyware engine for any given IP address/computer.

Top sources of attacks is basically the count of suspicious network activities (can be as simple as sending information through an open port or spreads trojans to other computers within the network). In this case it's the count of denials logged by Network Threat Protection for any given IP address.

Prashant Bharadwaj, CEH, MCTS Windows Server 2008 Active Directory, Configuration, SCS Symantec Endpoint Protection 11.0

01
Jul
2009

so which ip should i block on

so which ip should i block on my clients so that they will be safe from threats.

pete_4u2002's picture
pete_4u2002
Symantec Employee
Accredited
01
Jul
2009

hi, analyze first the IP's as

hi,
analyze first the IP's as the source of attack. Check for Virus definition, AV feature working properly, microsoft patches applied.

then based on the outcome, you may need to block. Many a times, missing microsoft patches causes the issue. Though the SEP is blocking the attack.

cheers
Pete

02
Jul
2009
SOLUTION

When you have a virus

When you have a virus outbreak in yout network, some infected machiens will try to infect other machines in the network. Risk tracer is a utility with which you can track down these network infecting machines.

Similarly, when a Worm is present on the network, it will try to attack oher machines. Firewall/IPS will stop that and send that info to SEPM.

So.....if you are dealing with Virus Outbreak, check the Risk Distribution and block the most active IP's.

The Top Sources of attack will tell you which workstations in your network are performing network attacks on other machines.

Cheers,
Aniket