Endpoint Protection

 View Only
  • 1.  Risk tracer report

    Posted Feb 27, 2012 06:57 PM

    I have generated a risk logs. Risk tracer is enabled in SEPM. Based on the logs I found out that there are entries in SOURCE column the the source IP is 0.0.0.0 that it mean that there is no infection on the network?thanks



  • 2.  RE: Risk tracer report

    Posted Mar 06, 2012 12:11 PM

    Moving this post to the Endpoint Protection forum.

    Note that Windows File and Printer Sharing must be enabled in order for Risk Tracer to work.

    Please see - How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

    http://www.symantec.com/business/support/index?page=content&id=TECH94526&actp=search&viewlocale=en_US&searchid=1290458269625



  • 3.  RE: Risk tracer report

    Broadcom Employee
    Posted Mar 06, 2012 12:35 PM

    The source IP address is populated when a remote attack happens to a client machine and it is configured by policy to use the "Risk Tracer" option.  Risk Tracer has a dependency with the Intrusion Prevention System's (IPS) feature of "Active Response".    Both options must be installed and configured correctly to track the remote attacking machine's IP address on the SEP clients.  The Symantec Endpoint Protection Manager (SEPM) server then receives the source IP address forwarded from the SEP client logs.  When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons. 

    • It could not be determined / masked
    • The risk was triggered locally and not by a remote machine.

    The source IP address received in the logs was a NULL value.  By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank

     

    check this link


    Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded
    http://www.symantec.com/business/support/index?page=content&id=TECH132755



  • 4.  RE: Risk tracer report

    Posted Mar 07, 2012 01:46 AM

    We resolved this issue by enabling file & printer sharing.