Hi,
Worms and threats that spread across networks by network shares have become more common in recent years. Risk Tracer is an optional feature in SAV 10.1/SCS 3.1 and in SEP 11 that records information
on what network source a threat has come from so that the root of the outbreak can be easily identified and fixed. Risk Tracer was introduced in SAV 10.1/SCS 3.1.
Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the SEPM and hide many of the columns that do not relate to Risk Tracer.
Example:
"Monitors Tab" on the left hand pane.
"Logs" on the tab menu (Top of Screen)
"Log Type:" Risk
Default Filter
"View Log" button
Export Search Results.
Import into Excel.
Results below.
Event Computer Name Source Source Computer Name Source Computer IP
Virus Found TEST-130 Auto-Protect scan TEST-01 10.14.3.13
Virus Found TEST-055 Auto-Protect scan TEST-01 10.14.3.13
Virus Found TEST-065 Auto-Protect scan TEST-01 10.14.3.13
This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned. It is reportedly infecting other computers.
Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SAV or SEP client at the time the infection was detected, but there may have been other connections as well.
Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448
Risk Tracer must first be enabled in your Antivirus and Antispyware policy in order to view the information it can collect.
To view the top machines that are attacking other machines in your environment discovered by Autoprotect and located by way of Risk Tracer in the Symantec Endpoint Protection Manager go to the Monitors page and view the "Risk Distribution by Attacker" chart.
More details on a specific threat can be found at :
Monitors->Logs Tab->Log type : Risk and click on View Log. Then select the particular risk you wish to view more information about and click the Details hyperlink at the top of the page.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009061208555748