What is Risk Tracer?
search cancel

What is Risk Tracer?

book

Article ID: 151301

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You are interested in getting more information on using Risk Tracer.

 

Resolution

About Risk Tracer

Worms and threats that spread across networks by network shares have become more common in recent years. Risk Tracer is an optional feature in the enterprise version of Symantec Endpoint Protection (SEP) that records information on what network source a threat has come from so that the root of the outbreak can be easily identified and fixed.

Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the Symantec Endpoint Protection Manager (SEPM) and hide many of the columns that do not relate to Risk Tracer.

Example:

  1. Click Monitors > Logs.
  2. For Log Type, click Risk. Use the default filter.
  3. Click View Log.
  4. Click Export to export the search results.
  5. Open the resulting file with a spreadsheet program, such as Microsoft Excel.

Sample results appear below. 

Example of Risk Tracer

Event

Computer Name

Source

Source Computer Name

Source Computer IP

Virus Found

HOST-B

Auto-Protect scan

HOST-A

192.168.0.1

Virus Found

HOST-C

Auto-Protect scan

HOST-A

192.168.0.1

Virus Found

HOST-D

Auto-Protect scan

HOST-A

192.168.0.1


This log indicates that HOST-A at 192.168.0.1 should be isolated from the network and scanned. It is reportedly infecting other computers.

Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SEP client at the time the infection was detected, but there may have been other connections as well. Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.

Configuring Risk Tracer

In SEPM, you configure Risk Tracer as follows:

  • For SEP 12.1.x, with the Virus and Spyware Protection policy open, click Windows Settings > Protection Technology > Auto-Protect > Advanced tab > Risk Tracer.
  • For SEP 11.x, with the Antivirus and Antispyware policy open, click File System Auto-Protect > Advanced tab > Risk Tracer.

 

 
A note about the warning box

If a warning box pops up to advise that the firewall policy and the active response feature must be enabled for Risk Tracer to work, be aware that the active response feature in the Intrusion Prevention policy appears in version 12.1.x in the "Protection and Stealth" component of the firewall policy.

To make this configuration change in your firewall policy, under Protection and Stealth > Protection Settings, check Automatically block an attacker's IP address (if not already checked) to enable active response.

The firewall must also be installed and enabled.
 

More information about Risk Tracer

Risk Tracer identifies the source of network share-based virus infections on client computers. When Auto-Protect detects an infection, it sends information to ccSvcHst, the main Symantec Endpoint Protection service. CcSvcHst determines if the infection originated locally or remotely.

If the infection came from a remote computer, ccSvcHst can do the following actions:

  • Look up and record the computer's NetBIOS computer name and its IP address.
  • Look up and record who was logged on to the computer at delivery time.
  • Display the information in the Risk properties dialog box.

ccSvcHst polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before ccSvcHst can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. This information can be configured in the Auto-Protect Advanced Options dialog box.

Note: In SEP 11.x, Rtvscan is the main Symantec Endpoint Protection service.

Risk Tracer information appears in the Risk Properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the local host activity caused an infection, it lists the source as the local host.

Risk Tracer lists a source as unknown when the following conditions are true:

  • It cannot identify the remote computer.
  • The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.

To see the full list of remote computers that currently infect the local computer, make a change in the registry. Be sure to back up the registry before making changes.

  • On 32 bit systems use: HKEY_LOCAL_MACHINE> SOFTWARE\Symantec\Symantec Endpoint Protection\AV\ProductControl
  • On 64 bit systems use: HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Symantec\Symantec Endpoint Protection\AV\ProductControl

Change "Debug" string value to: THREATTRACER X

This turns on the debug output and the X ensures that only the debug output for Risk Tracer appears.

Adding an L to the string writes the logs to:

  • Windows 7: C:\ProgramData\Symantec\Symantec Endpoint Protection\version\Data\Logs\vpdebug.log
  • Windows XP: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\version\Data\Logs\vpdebug.log

Where version represents the version of SEP you are using.

To ensure that the debug window does not appear, add XW.

Risk Tracer also includes an option to block the IP addresses of source computers. For this option to take effect, set the corresponding option in the Firewall Policy to enable this type of automatic blocking. To experiment with this feature, use the test virus file Eicar.com available from the following URL: www.eicar.org
 

Testing Risk Tracer

To test Risk Tracer, do the following:

On the client (for example, client A) that mounted the other client's shared directory (for example, client B), disable file system Auto-Protect. Insert the removable media that contains Eicar.com and copy the file to the shared directory on the other client (for example, client B). A virus notification alert appears. The following illustration shows this configuration.

When Risk History is later examined: locate the EICAR Test string threat, right-click the risk, click Properties, and then the source computer name is identified.
 

A few extra notes....

  • Risk Tracer relies upon Windows File and Printer Sharing. If this is disabled (as per Microsoft KB article 199346, http://support.microsoft.com/kb/199346), Risk Tracer will not work.
  • Risk Tracer works with Windows XP, Windows 2003, Windows 7 and other Windows operating systems.  It is not inherently limited to Windows XP.
  • The SEP client Network Threat Protection (NTP) feature must be installed for Risk Tracer to function fully.
  • Risk Tracer may be disabled in order to reduce SEP's performance impact on an overburdened computer.
  • The articles linked below offer additional information on using Risk Tracer.