Risk Tracer must first be enabled in your Virus and Spyware Protection policy in order to view the information it can collect. To function fully, Risk Tracer requires Network Threat Protection (NTP) and IPS to be installed and IPS Active Response to be enabled.
[Please see What is Risk Tracer? for more information.]
To view the top machines that are attacking other machines in your environment discovered by Auto-Protect and located by way of Risk Tracer, open the Symantec Endpoint Protection Manager (SEPM) and go to the Monitors page. View the "Risk Distribution by Attacker" chart under "Summary" which should show the IP addresses of the risk attackers.
More details on a specific threat can be found at :
Monitors->Logs Tab->Log type : Risk and click on View Log. Then select the particular risk you wish to view more information about and click the Details hyperlink at the top of the page.
How to enable Risk Tracer in Endpoint Protection:
- Log in to SEPM.
- Click on Policies tab.
- Right click on Virus and Spyware Protection policy and click Edit.
- Click on Auto-Protect.
- Click on the Advanced tab and click on Risk Tracer under Additional Options.
- Put a check mark in Enable Risk Tracer and then click OK.
Technical Information
After Risk Tracer is enabled in SEP 12.1, or newer, the raw logs can be found under the following path:
- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\AV
Thanks for your feedback. Let us know if you have additional comments below. (requires login)