Information seen in the Symantec Endpoint Protection Manager (SEPM) Home page does not match with the Logs and reports that are generated from the Monitors and Reports tab. There is confusion which information can be used to check the Symantec Endpoint Protection (SEP) compliance in their network.
The root cause is that the sqls in "Home page" and "Monitors - Logs - Risk" were inconsistent. Some of the sqls missed the conditions "Alerts.DELETED=0",
This problem is fixed in Symantec Endpoint Protection 12.1 Release Update 3 (12.1 RU3). For information on how to obtain the latest build of Symantec Endpoint Protection, read ‘Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control’