Using Endpoint Protection Manager reports and logs to identify infected computers

book

Article ID: 178847

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

When dealing with a threat outbreak, the various reports and logs within the SEPM (Symantec Endpoint Protection Manager) can greatly assist in identifying machines that are infected and trying to spread the threat to other computers on the network.  Within the SEPM, reports and logs can be generated to identify infected machines and locate the top sources of infection. Some of those reports, and the requirements necessary for reporting to work properly, are outlined below.

 

Network Threat Protection Attacks:

This report will show you the IP addresses of the machines generating the most attacks on the network.  Information like this is useful when (for example) seeking to identify which infected endpoints are attempting to spread W32.Qakbot to other machines. These logs will only be present if the machines have the Intrusion Prevention (IPS) feature installed and enabled.

Steps to generate the Network Threat Protection Top Sources of Attack Report:
1. Click on "Reports"
2. Select the "Quick Reports" tab
3. Choose Report Type: "Network Threat Protection"
4. Select report: "Top Sources of Attack"
5. Choose the time range to cover such as "Past week"
6. Click "Create Report"

Here is an example of that report:


While the above report will give you a quick overview of the top offenders, it does not go into specifics such as exactly what was detected. You can get specifics by pulling the Network Threat Protection Attack logs.

Steps to pull the Network Threat Protection Attack logs:
1. Click on "Monitors"
2. Select the "Logs" tab
3. Choose Log Type: "Network Threat Protection"
4. Select Log Content: "Attacks"
5. Choose the time range to cover such as "Past week"
6. Click "View Log"
Note: These can be exported into CSV format for manipulation within a spreadsheet program.


Risk Distribution:

This report will show the top machines that are specifically trying to spread a threat throughout the environment. Logs will only be present for attacks if the Network Scanning feature is enabled on the SEP clients.

Steps to generate the Risk Distribution - Attacking Computers Report:
1. Click on "Reports"
2. Select the "Quick Reports" tab
3. Choose Report Type: "Risk"
4. Select report: "Risk Distribution Summary"
5. Select Group by: "Attacking Computers"
6. Choose the time range to cover such as "Past week"
7. Click "Create Report"

As with the Network Threat Protection reports, this report gives a nice overview of the most active machines but does not give specifics. For specifics pull the Risk logs.

Steps to pull the Risk logs:
1. Click on "Monitors"
2. Select the "Logs" tab
3. Choose Log Type: "Risk"
4. Choose the time range to cover such as "Past week"
5. Click "View Log"
Note: These can be exported into CSV format for manipulation within a spreadsheet program.


SONAR:

The Proactive Threat Protection (also known as SONAR) component of SEP detects new threats based on behavioral heuristics. Reviewing its logs can point to machines that may be pulling in new variants.

Steps to generate the SONAR logs:
1. Click on "Monitors"
2. Select the "Logs" tab
3. Choose Log Type: "SONAR"
4. Choose the time range to cover such as "Past week"
5. Click "View Log"
Note: These can be exported into a CSV format for manipulation within a spreadsheet program.

The Connect article Using SEPM Alerts and Reports to Combat a Malware Outbreak provides an example of how these logs can assist administrators during an outbreak.

 

 

Attachments