Endpoint Protection

 View Only

  • 1.  what is the difference between "top sources of attack" and "risk distribution by attacker" ?

    Posted Jun 27, 2009 03:23 AM
    what is the difference between "top sources of attack" and "risk distribution by attacker" ? Which one is the actual source of virus/attacks ? which IP to trace for virus as both giving different iP addresses .
    imagebrowser image

    imagebrowser image


  • 2.  RE: what is the difference between "top sources of attack" and "risk distribution by attacker" ?

    Posted Jul 01, 2009 07:03 PM
    Hi,

    Here is the information you have requested:

    Risk Distribution by Attacker:  [Used for tracing Viruses]

    Give the amount of remote virus attack done on the Symantec Endpoint Protection client group by atttacker (source of the attack).
    SEP client uses the Risk Tracer technology to determine remote attack such a network share-based virus infections.


    top sources of attack [Used for tracing Network Attacks]

    It can have information about the MAC spoofing attempts. Reverse DNS Lookups, TCP Resequencing attacks.

    Cheers,
    Aniket



  • 3.  RE: what is the difference between "top sources of attack" and "risk distribution by attacker" ?

    Posted Jul 01, 2009 09:07 PM
    Bijan,

    Aniket is right, but complicated a little.

    I am just trying to put the same in more simple words,

    Risk Distribution by Attackers is nothing but the count of viruses and spywares detected in your network. Don't get confused by the word source of attacker as someone outside your network. In other words, count of all risks logged by Antivirus and Antispyware engine for any given IP address/computer.

    Top sources of attacks is basically the count of suspicious network activities (can be as simple as sending information through an open port or spreads trojans to other computers within the network). In this case it's the count of denials logged by Network Threat Protection for any given IP address.


  • 4.  RE: what is the difference between "top sources of attack" and "risk distribution by attacker" ?

    Posted Jul 02, 2009 12:39 AM
    so which ip should i block on my clients so that they will be safe from threats.


  • 5.  RE: what is the difference between "top sources of attack" and "risk distribution by attacker" ?

    Broadcom Employee
    Posted Jul 02, 2009 01:25 AM
    hi,
    analyze first the IP's as the source of attack. Check for Virus definition, AV feature working properly, microsoft patches applied.

    then based on the outcome, you may need to block. Many a times, missing microsoft patches causes the issue. Though the SEP is blocking the attack.

    cheers
    Pete


  • 6.  RE: what is the difference between "top sources of attack" and "risk distribution by attacker" ?
    Best Answer

    Posted Jul 02, 2009 04:40 AM
    When you have a virus outbreak in yout network, some infected machiens will try to infect other machines in the network. Risk tracer is a utility with which you can track down these network infecting machines.

    Similarly, when a Worm is present on the network, it will try to attack oher machines. Firewall/IPS will stop that and send that info to SEPM.

    So.....if you are dealing with Virus Outbreak, check the Risk Distribution and block the most active IP's.

    The Top Sources of attack will tell you which workstations in your network are performing network attacks on other machines.

    Cheers,
    Aniket