How to use Risk Tracer to locate the source of a threat in Endpoint Protection


Article ID: 177727


Updated On:


Endpoint Protection


You would like to know how can you use Symantec Endpoint Protection's optional Risk Tracer capabilities to locate infected machines that are attempting to spread a threat during an outbreak. You would also like to know how can you view the information Risk Tracer has gathered to show the top machines that are attacking other machines in your environment.



Microsoft Windows operating systems


Risk Tracer must first be enabled in your Virus and Spyware Protection policy in order to view the information it can collect.  To function fully, Risk Tracer requires Network Threat Protection (NTP) and IPS to be installed and IPS Active Response to be enabled.
[Please see What is Risk Tracer? for more information.]

To view the top machines that are attacking other machines in your environment discovered by Auto-Protect and located by way of Risk Tracer, open the Symantec Endpoint Protection Manager (SEPM) and go to the Monitors page.  View the "Risk Distribution by Attacker" chart under "Summary" which should show the IP addresses of the risk attackers.


More details on a specific threat can be found at :

Monitors->Logs Tab->Log type : Risk and click on View Log. Then select the particular risk you wish to view more information about and click the Details hyperlink at the top of the page.


How to enable Risk Tracer in Endpoint Protection:

  • Log in to SEPM.
  • Click on Policies tab.
  • Right click on Virus and Spyware Protection policy and click Edit.
  • Click on Auto-Protect.
  • Click on the Advanced tab and click on Risk Tracer under Additional Options.
  • Put a check mark in Enable Risk Tracer and then click OK.

Technical Information
After Risk Tracer is enabled in SEP 12.1, or newer, the raw logs can be found under the following path:

  • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\AV


If an outbreak is underway, administrators seeking to identify suspicious computers and files are also encouraged to examine the SEPM's SONAR reports.  Detailed tips can be found in the Connect article Using SEPM Alerts and Reports to Combat a Malware Outbreak.