Endpoint Protection

Hello,

A quarantined malware shows up in the SEP Client console under 'View Quarantine', wherein, it shows the 'File Create Date'.

Is that the actual creation date of the file OR the date when it landed on the system.

1. Does it get featured in any of the SEPM Reports?

We need to find out whether the malware was sourced from any remote endpoint. Since source IP field shows value as 0.0.0.0, we need to ascertain whether requirements to retrieve this information in Risk Logs are met.

2. Will enabling Risk Tracer, Firewall and IPS fulfil the requirement? OR is there something left out?

Thanks,

Jimmy

=-=-=

The file create date should be the time the file was "actioned" by SEP.

Enabling Risk Tracer will help to the remote source, if available.

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

This info should be in the Risk log on the Monitors tab,.

Hi Brian,

On a system, I could see that the actioned date was different than the FIle Create date.

The File Create date seems to be date, on which, the file lands on the system because, in my case, the column "DATE" matches the actioned timestamp, and column "File Create Date" shows an older date.

-Jimmy

=-=-=

The Summary page on the SEPM does not show "Risk Distribution by Attacker". It does show Risk Distribution, RIsk Distribution by Group, RIsk Distribution by Source, SONAR, and New Risks.

Is there any additional configuration, which needs to be done?

-Jimmy

=-=-=

This tab is not configurable.

You can find that on the Reports page >> Quick Reports. There are various reports for the "Risk" report type.

Some viruses can change the file creation date, so when you look at when a file that was created it could be for example created 1 year ago when in all actuallity it was created today.

Another good report to use is:

Sonar Suspeciouse Report:

Monitors, Logs, and chooses to view a SONAR report with the Advanced filter set to display only the Events where the action resulted in a verdict of "Suspicious."

Yes please use Risk Tracer and install all required features of the product for this to function correctly. 

Possibly a new variant that needs to be submited for signature creation and detection

https://submit.symantec.com/websubmit/essential.cgi

Thank you for responding!

Since we know that Auto-Protect and Scheduled Full scans detect and quarantine the malware, it is the Risk Report that we expect to show up the information. But, unfortunately, the information is not found.

Without such a report, one has to keep guessing on which systems the file could possibly be, making investigations difficult.

Regards,

Jimmy

=-=-=

Hi Kimberly,

Our concern is only about known malware files that are actioned by the SEP Client.

So we wish to know which report in SEPM shows the information provided by the column 'File Create Date' within the SEP Client console.

Thanks,

Jimmy

=-=-=