Endpoint Protection

 View Only
  • 1.  Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 02:32 AM

    We have "checked" the Risk Tracer policy under our SSC and SEPM console. However, Source IP in the Risk History logs is showing "0.0.0.0" and not the IP address of the source of infection.

    Besides activating this feature on the policy console, is there other settings that needs to be in place before the Risk Tracer feature can work?

     



  • 2.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 02:41 AM
    Hi,

          Worms and threats that spread across networks by network shares have become more common in recent years.  Risk Tracer is an optional feature in SAV 10.1/SCS 3.1 and in SEP 11 that records information
    on what network source a threat has come from so that the root of the outbreak can be easily identified and fixed.  Risk Tracer was introduced in SAV 10.1/SCS 3.1. 

    Risk Tracer can be extremely useful in informing what computers to isolate and scan.  For illustration, export a Log History Report  from the SEPM and hide many of the columns that do not relate to Risk Tracer.
    Example:
    "Monitors Tab" on the left hand pane. 
    "Logs"  on the tab menu (Top of Screen)
    "Log Type:" Risk
    Default Filter
    "View Log" button
    Export Search Results.
    Import into Excel.
    Results below.

    Event        Computer Name    Source         Source Computer Name    Source Computer IP
    Virus Found    TEST-130        Auto-Protect scan    TEST-01            10.14.3.13       
    Virus Found    TEST-055        Auto-Protect scan    TEST-01            10.14.3.13       
    Virus Found    TEST-065        Auto-Protect scan    TEST-01            10.14.3.13       

    This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned.  It is reportedly infecting other computers.

    Please note that Risk Tracer relies upon very basic network awareness functionality.  The computer name and IP that are listed were connecting to the SAV or SEP client at the time the infection was detected, but there may have been other connections as well. 
    Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448


    Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect.


    To view the top machines that are attacking other machines in your environment discovered by Autoprotect and located by way of Risk Tracer in the Symantec Endpoint Protection Manager go to the Monitors page and view the "Risk Distribution by Attacker" chart.

    More details on a specific threat can be found at :
    Monitors->Logs Tab->Log type : Risk and click on View Log. Then select the particular risk you wish to view more information about and click the Details hyperlink at the top of the page.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009061208555748




  • 3.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 03:06 AM
    I'm not asking what is Risk Tracer.

    I know what is Risk Tracer, and we have it enabled in both our SSC Console (for SAV10 clients) and SEPM Console (for SEP11 clients)

    I'm asking if there are other settings that needs to be in place before the Risk Tracer feature can work.  i.e Windows File and Printer Sharing must be enabled in order for Risk Tracer to work, and we already have this enabled.

    Besides the below knowledge base article, Is there any official documentation from Symantec, that talks about the Risk Tracer requirements?

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448




  • 4.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 03:09 AM
    i.e Does the client firewall feature in SAV10 needs to be activated, in order for Risk Tracer to show the source computer?


  • 5.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 03:26 AM
    There is no  document other than the one mentioned by you or risk tracer.


  • 6.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 03:28 AM
    You must have tested this before.

    http://www.upenn.edu/computing/virus/docs/sav_ce/101x/savinst.pdf

    I dont think they need firewall to be activated.

    in the above link go to page number 76, with your current configuration test the risk tracer. if it works then well and good (SAV)

    For sep as the document suggest we need to have Firewall and Intrustion policy activated.




  • 7.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 04:51 AM

    Yes you need to have Network Threat Protection installed on the SEP client so that it can trace the IP address of the attacker similar on SCS you need to have Symantec Client firewall installed.

    https://www-secure.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-yea-0

    Risk Tracer is part of Antivirus component and the AV component does not have the ability to understand IP's and networks.



  • 8.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 09:20 PM
    In SAV you dont need the Client Firewall installed to use the Risk Tracer, But in SEP u need NTP


  • 9.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 20, 2009 09:54 PM
    I just want to ask if what are the features installed on the SEP clients side?
     


  • 10.  RE: Requirements for the Risk Tracer Feature

    Posted Oct 22, 2009 03:57 AM
    @Vikram

    As i said earlier, it is not required to have SCF to use risk tracer on SAV, Coz it does not depend on SCF. SCF is a seperate component.

    For SEP as you said, we need NTP to use the Risk Tracer Feature.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448