Endpoint Protection

Useful feature of SEP to track attack source in case of worm outbreak like Downadup/Conficker


What is Risk Tracer?

Risk Tracer identifies the source of network share-based virus infections on the computers that run Windows XP operating systems.

When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec Client Security service. Rtvscan determines if the infection originated locally or remotely. If the infection came from a remote computer, Rtvscan can look up and record the computer's NetBIOS computer name and its IP address, and who was logged on to the computer at delivery time, and then display this
information in the Risk properties dialog box.

Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information, which you can configure in the Auto-Protect
Advanced Options dialog box, maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan
can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer.

Risk Tracer information appears in the Risk properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the infection came from local
host activity, it lists the source as the local host.

Risk Tracer lists a source as unknown in the Risk properties dialog box when the following conditions are true:
- It cannot identify the remote computer.
- The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be
logged on to a file sharing server with the same server user ID.


How to enable Risk tracer?

1) Click on Policies
2) Click on Antivirus and Antispyware
3) Double click on the Antivirus and Antispyware Policy.
4) Click on File System Auto Protect.
5) Click on the Advance tab
6) In the Addition options section, click on “Risk Tracer” button.
7) In the “Risk tracer” window, check the option “Enable Risk Tracer” and leave the rest as default.

Please note: For the Risk Tracer to work, Network Threat Protection should be enabled on all the client computers along with File and Print sharing services.


In SEPM, Risk Tracer is configured on the Advanced tab of the File System Auto-Protect page of the Antivirus and Antispyware policy:





In SAV, Risk Tracer is configured in the Advanced scan options for File System Auto-Protect.








The Symantec™ Client Security Installation Guide version 3.1 contains a section on Testing Risk Tracer, beginning on page 85:

To test Risk Tracer, do the following:

On the client (for example, client A) that mounted the other client's shared directory (for example, client B), disable file system Auto-Protect. Insert the
removable media that contains Eicar.com and copy the file to the shared directory on the other client (for example, client B). A virus notification alert
appears. The following illustration shows this configuration.



Refresh the Symantec System Center user interface, right-click the client that shares the directory (for example, client B), and then click All Tasks > Symantec
AntiVirus > Logs > Risk History. Locate the EICAR Test string threat, right-click the risk, click Properties, and then the source computer name is
identified.

Addional Information:
Risk Tracer relies upon the Windows File and Printer Sharing. If this is disabled (as per MS Article 199346, http://support.microsoft.com/kb/199346) Risk Tracer will not work.
Risk Tracer may be disabled in order to reduce SAV's performance impact on an overburdened computer.



Network impact if Risk tracer is enabled!!

There can be network performance issues if this feature is enabled as Rtvscan will poll network session every second.

Technical Information:
Risk Tracer details are stored in the Alerts data table of the SEPM's database:

SOURCE_COMPUTER_NAME: The source of the threat. It is logged when threat tracer is enabled in the antivirus and antispyware policy.
SOURCE_COMPUTER_IP: The source of the threat. It is logged when threat tracer is enabled in the antivirus and antispyware policy.

How to read Risk logs after Risk tracer is enabled?

1) Log in to the SEPM
2) Click on Monitors
3) Click on the Logs tab.
4) Select Log type as “Risk”
5) Click on “View Logs” button to generate log entries.
6) Click on the “Export” option and export the “Risk_reports.txt” to the computer.
7) Rename the “.txt” file extension to “.CSV”
8) Open the file with Microsoft Excel.

Exported file content:

Event              Computer Name        Source                 Risk Name                 File Path                                                   Actual Action              Event Date           Source Computer Name   Source Computer IP
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     M:/WINNT/system32/kejkf.l                  Cleaned by deletion    03-09-09 18:05    Machine Name                    172.16.16.5
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     C:/WINDOWS/system32/fllkxqj.d        Cleaned by deletion    03-09-09 18:05     Machine Name                   172.16.16.187
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     C:/WINDOWS/system32/papmaxc.t   Cleaned by deletion    03-09-09 18:05     172.16.16.187                    172.16.16.187
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     C:/WINDOWS/system32/ppjye.pzy     Cleaned by deletion    03-09-09 18:05     172.16.16.187                    172.16.16.187
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     C:/WINDOWS/system32/yaouej.yf      Cleaned by deletion    03-09-09 18:05     Machine Name                   172.16.16.187
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     C:/WINDOWS/system32/qzeelcn.cp   Cleaned by deletion    03-09-09 18:05    Machine Name                   172.16.16.187
Virus found   Machine Name      Auto-Protect scan   W32.Downadup.B     C:/WINDOWS/system32/dmeet.uj      Cleaned by deletion    03-09-09 18:05     Machine Name                   172.16.16.187


SOURCE_COMPUTER_NAME: The source of the threat. It is logged when threat tracer is enabled in the antivirus and antispyware policy.
SOURCE_COMPUTER_IP: The source of the threat. It is logged when threat tracer is enabled in the antivirus and antispyware policy.


The source computers are the one that needs to be isolated and scanned with Latest virus definitions and updated security patches.