Deception logs and reports

The
Deception
logs and reports contain information about any activity that the clients send back to
Symantec Endpoint Protection Manager
as the result of deceptor activity. A deceptor is designed to look like it is interesting to an attacker. However, it only sends events back to the client and to
Symantec Endpoint Protection Manager
to indicate that it has been attacked.
Deception is a set of tools that you use to present to a potential attacker what appears to be desirable data and an attack vector. You use these tools to quickly detect and stop infiltration attempts.
Actions to take on events in the Deception logs
Option
Description
Place client(s) in Quarantine
Moves the clients that you believe that are compromised in some way into the Quarantine.
Place client(s) from Quarantine
Removes the clients from the Quarantine. Use this option if either the attack was neutralized or because you quarantined the client in error.
Deception reports
Summary
Description
Top Machines with Deception Activity
Displays the top client computers that get hit by attacker activity, as indicated by events from deceptors on the given computers.
A deceptor consists of artifacts such as files that are delivered to client computers. When an attacker touches an artifact, the artifact triggers an event. By design, the artifacts are hidden from the everyday user, but are interesting to an intruder.
Top Processes with Deception Activity
Displays the caller processes that attackers use to trigger deception events. For example, if ping.exe was used to trigger the Network Lookup (DNS) Deceptor, then ping.exe is the caller process.
Top Users with Deception Activity
Displays the users that get hit by attacker activity the most, based on events from deceptors on the client computers the users use.
Top Deceptors Triggered
Displays which deceptors that the attackers touched the most.