You are interested in getting more information on using Risk Tracer.
About Risk Tracer
Worms and threats that spread across networks by network shares have become more common in recent years. Risk Tracer is an optional feature in the enterprise version of Symantec Endpoint Protection (SEP) that records information on what network source a threat has come from so that the root of the outbreak can be easily identified and fixed.
Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the Symantec Endpoint Protection Manager (SEPM) and hide many of the columns that do not relate to Risk Tracer.
Example:
Sample results appear below.
Event |
Computer Name |
Source |
Source Computer Name |
Source Computer IP |
Virus Found |
HOST-B |
Auto-Protect scan |
HOST-A |
192.168.0.1 |
Virus Found |
HOST-C |
Auto-Protect scan |
HOST-A |
192.168.0.1 |
Virus Found |
HOST-D |
Auto-Protect scan |
HOST-A |
192.168.0.1 |
This log indicates that HOST-A at 192.168.0.1 should be isolated from the network and scanned. It is reportedly infecting other computers.
Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SEP client at the time the infection was detected, but there may have been other connections as well. Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.
Configuring Risk Tracer
In SEPM, you configure Risk Tracer as follows:
A note about the warning box
If a warning box pops up to advise that the firewall policy and the active response feature must be enabled for Risk Tracer to work, be aware that the active response feature in the Intrusion Prevention policy appears in version 12.1.x in the "Protection and Stealth" component of the firewall policy.
To make this configuration change in your firewall policy, under Protection and Stealth > Protection Settings, check Automatically block an attacker's IP address (if not already checked) to enable active response.
The firewall must also be installed and enabled.
More information about Risk Tracer
Risk Tracer identifies the source of network share-based virus infections on client computers. When Auto-Protect detects an infection, it sends information to ccSvcHst, the main Symantec Endpoint Protection service. CcSvcHst determines if the infection originated locally or remotely.
If the infection came from a remote computer, ccSvcHst can do the following actions:
ccSvcHst polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before ccSvcHst can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. This information can be configured in the Auto-Protect Advanced Options dialog box.
Note: In SEP 11.x, Rtvscan is the main Symantec Endpoint Protection service.
Risk Tracer information appears in the Risk Properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the local host activity caused an infection, it lists the source as the local host.
Risk Tracer lists a source as unknown when the following conditions are true:
To see the full list of remote computers that currently infect the local computer, make a change in the registry. Be sure to back up the registry before making changes.
Change "Debug" string value to: THREATTRACER X
This turns on the debug output and the X ensures that only the debug output for Risk Tracer appears.
Adding an L to the string writes the logs to:
Where version represents the version of SEP you are using.
To ensure that the debug window does not appear, add XW.
Risk Tracer also includes an option to block the IP addresses of source computers. For this option to take effect, set the corresponding option in the Firewall Policy to enable this type of automatic blocking. To experiment with this feature, use the test virus file Eicar.com available from the following URL: www.eicar.org
Testing Risk Tracer
To test Risk Tracer, do the following:
On the client (for example, client A) that mounted the other client's shared directory (for example, client B), disable file system Auto-Protect. Insert the removable media that contains Eicar.com and copy the file to the shared directory on the other client (for example, client B). A virus notification alert appears. The following illustration shows this configuration.
When Risk History is later examined: locate the EICAR Test string threat, right-click the risk, click Properties, and then the source computer name is identified.
A few extra notes....