What are the different types of reports that can be run in the Symantec Endpoint Protection Manager (SEPM)?
What information do the different reports in the Symantec Endpoint Protection Manager show?
This information was gathered from the SEPM help files. For the latest version of this information please check the help files inside the SEPM.
Report Types
Report type | Description |
Application and Device Control | Displays information about events where some type of behavior was blocked. These reports include information about application security alerts, blocked targets, and blocked devices. Blocked targets can be registry keys, dlls, files, and processes. |
Audit | Displays information about the policies that clients and locations use currently. |
Compliance | Displays information about the compliance status of your network. These reports include information about Enforcer servers, Enforcer clients, Enforcer traffic, and host compliance. |
Computer Status | Displays information about the operational status of the computers in your network, such as which computers have security features turned off. These reports include information about versions, the clients that have not checked in to the server, client inventory, and online status. |
Network Threat Protection | Displays information about intrusion prevention, attacks on the firewall, and about firewall traffic and packets. |
Risk | Displays information about risk events on your management servers and their clients. It includes information about TruScan proactive threat scans. |
Scan | Displays information about antivirus and antispyware scan activity. |
System | Displays information about event times, event types, sites, domains, servers, and severity levels. |
Note: | Some predefined reports contain information that is obtained from Symantec Network Access Control. If you have not purchased that product, but you run one of that product's reports, the report is empty. |
About reports
Quick report types
Report type | Description |
Application and Device Control | The Application and Device Control reports contain information about events where access to a computer was blocked or a device was kept off the network. |
Audit | The Audit report contains information about policy modification activities, such as the event times and types, policy modifications, domains, sites, administrators, and descriptions. |
Compliance | The Compliance reports contain information about the Enforcer server, the Enforcer clients, the Enforcer traffic, and host compliance. |
Computer Status | The Computer Status reports contains information about the real-time operational status of the computers in the network. |
Network Threat Protection | The Network Threat Protection reports allow you to track a computer's activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections. |
Risk | The Risk reports include information about risk events on your management servers and their clients. |
Scan | The Scan reports provide information about antivirus and antispyware scan activity. |
System | The System reports contain information that is useful for troubleshooting client problems. |
Note: | If you have only Symantec Network Access Control installed, a significant number of reports are empty. The Application and Device Control, Network Threat Protection, Risk, and Scan reports do not contain data. The Compliance and Audit reports do contain data, as do some of the Computer Status and System reports. |
Application and Device Control Reports
Report name | Description |
Top Groups With Most Alerted Application Control Logs | This report consists of a pie chart with the relative bars. It shows the groups with the application control logs that have generated the largest number of security alerts. |
Top Targets Blocked | This report consists of a pie chart with relative bars for each of the following targets, if applicable:
|
Top Devices Blocked | This report consists of a pie chart with a relative bar that shows the devices most frequently blocked from access to your network. |
Audit Reports
Report name | Description |
Policies Used | This report displays the policies that clients and locations use currently. Information includes the domain name, group name, and the serial number of the policy that is applied to each group. |
Compliance Reports
Report name | Description |
Network Compliance Status | This report consists of a line chart and a table. It displays the event time, number of attacks, and the percentage of attacks that are involved in each. You can display the total number of clients to which the following compliance actions have been applied over the time range that you select:
|
Compliance Status | You can select an action to display a line chart that shows one of the following:
|
Clients by Compliance Failure Summary | This report consists of a bar chart that shows the following information:
|
Compliance Failure Details | This report consists of a table that displays the number of unique computers by control failure. It shows the criteria and the rule that is involved in each failure. It includes the percentage of clients that are deployed and the percentage that failed. |
Non-compliant Clients by Location | This report consists of a table that shows the compliance failure events. These events display in groups that are based on their location. Information includes the unique computers that failed, and the percentage of total failures and location failures. |
Computer Status Reports
Report name | Description |
Virus Definitions Distribution | This report displays the unique virus definitions file versions that are used throughout your network and the number of computers and percentage using each version. It consists of a pie chart, a table, and relative bars. |
Computers Not Checked into Server | This report displays a list of all the computers that have not checked in with their server. It also displays the computer's IP address, the time of its last check-in, and the user that was logged in at that time. |
Symantec Endpoint Protection Product Versions | This report displays the list of version numbers for all the Symantec Endpoint Protection product versions in your network. It also includes the domain and server for each, as well as the number of computers and percentage of each. It consists of a pie chart and relative bars. |
Intrusion Prevention Signature Distribution | This report displays the IPS signature file versions that are used throughout your network. It also includes the domain and server for each, as well as the number of computers and percentage of each. It consists of a pie chart and relative bars. |
Client Inventory | This report consists of the following charts with relative bars that display the total number of computers and percentage of each:
|
Compliance Status Distribution | This report consists of a pie chart with relative bars that show compliance passes and failures by group or by subnet. It shows the number of computers and the percentage of computers that are in compliance. |
Client Online Status | This report consists of pie charts with relative bars per group or per subnet. It displays the percentage of your computers that are online. Online has the following meanings:
|
Clients With Latest Policy | This report consists of pie charts with relative bars per group or subnet. It displays the number of computers and percentage that have the latest policy applied. |
Client Count by Group | This report consists of a table that lists host information statistics by group. It lists the number of clients and users. If you use multiple domains, this information appears by domain. |
Security Status Summary | This report reflects the general security status of the network. This report displays the number and percentage of computers that have the following status:
|
Protection Content Versions | This report displays all the proactive protection content versions that are used throughout your network in a single report. One pie chart is displayed for each type of protection. The following content types are available:
|
Client Migration | This report consists of tables that describe the migration status of clients by domain, group, and server. It displays the client IP address and whether the migration succeeded, failed, or has not yet started. |
Client Software Rollout (Snapshots) This report is available as a scheduled report only. |
This report consists of tables that track the progression of client package deployments. The snapshot information lets you see how quickly the rollout progresses, as well as how many clients are still not fully deployed. |
Clients Online/Offline Over Time (Snapshots) This report is available as a scheduled report only. |
This report consists of line charts and tables that show the number of clients online or offline. One chart displays for each of the top targets. The target is either a group or an operating system. |
Clients With Latest Policy over Time (Snapshots) This report is available as a scheduled report only. |
This report consists of a line chart that displays the clients that have the latest policy applied. One chart displays for each of the top clients. |
Non-compliant Clients Over Time (Snapshots) This report is available as a scheduled report only. |
This report consists of a line chart that shows the percentage of clients that have failed a host integrity check over time. One chart displays for each of the top clients. |
Virus Definition Rollout (Snapshots) This report is available as a scheduled report only. |
This report lists the virus definitions package versions that have been rolled out to clients. This information is useful for tracking the progress of deploying of new virus definitions from the console. |
Network Threat Protection Reports
Report name | Description |
Top Targets Attacked | This report consists of a pie chart with relative bar. You can view information using groups, subnets, clients, or ports as the target. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks. |
Top Sources of Attack | This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks. |
Top Types of Attack | This report consists of a pie chart with associated relative bars. It includes information such as the number and percentage of events. It also includes the group and severity, as well as the event type and number by group. |
Top Blocked Applications | This report consists of a pie chart with relative bars that show the top applications that were prevented from accessing your network. It includes information such as the number and percentage of attacks, the group and severity, and the distribution of attacks by group. |
Attacks over Time | This report consists of one or more line charts that display attacks during the selected time period. For example, if the time range is the last month, the report displays the total number of attacks per day for the past month. It includes the number and percentage of attacks. You can view attacks for all computers, or by the top operating systems, users, IP addresses, groups, or attack types. |
Security Events by Severity | This report consists of a pie chart that displays the total number and percentage of security events in your network, ranked according to their severity. |
Blocked Applications Over Time | This report consists of a line chart and table. It displays the total number of applications that were prevented from accessing your network over a time period that you select. It includes the event time, the number of attacks, and the percentage. You can display the information for all computers, or by group, IP address, operating system, or user. |
Traffic Notifications Over Time | This report consists of a line chart. It shows the number of notifications that were based on firewall rule violations over time. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can display the information in this report for all computers, or by group, IP address, operating system, or user. |
Top Traffic Notifications | This report consists of a pie chart with relative bars that lists the group or subnet, and the number and percentage of notifications. It shows the number of notifications that were based on firewall rule violations that you configured as important to be notified about. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can view information for all, for the Traffic log, or for the Packet log, grouped by top groups or subnets. |
Full Report | This report gives you the following Network Threat Protection information in a single report:
|
Risk Reports
Report name | Description |
Infected and At Risk Computers | This report consists of two tables. One table lists computers that have a virus infection. The other table lists the computers that have a security risk that has not yet been remediated. |
Detection Action Summary | This report consists of a table that shows a count of all the possible actions that were taken when risks were detected. The possible actions are Cleaned, Suspicious, Blocked, Quarantined, Deleted, Newly Infected, and Still Infected. This information also appears on the Symantec Endpoint Protection Home page. |
Risk Detections Count | This report consists of a pie chart, a risk table, and an associated relative bar. It shows the total number of risk detections by domain, server, or computer. If you have legacy Symantec AntiVirus clients, the report uses the server group rather than the domain. |
New Risks Detected in the Network | This report includes a table and a distribution pie chart. For each new risk, the table provides the following information:
The pie chart shows new risk distribution by the target selection type: domain (server group on legacy computers), group, server (parent server on legacy computers), computer, or user name. |
Top Risk Detections Correlation | This report consists of a three-dimensional bar graph that correlates virus and security risk detections by using two variables. You can select from computer, user name, domain, group, server, or risk name for the x and y axis variables. This report shows the top five instances for each axis variable. If you selected computer as one of the variables and there are fewer than five infected computers, non-infected computers may appear in the graph. Note: For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server. |
Risk Distribution Summary | This report includes a pie chart and an associated bar graph that displays a relative percentage for each unique item from the chosen target type. For example, if the chosen target is risk name, the pie chart displays slices for each unique risk. A bar is shown for each risk name and the details include the number of detections and its percentage of the total detections. Targets include the risk name, domain, group, server, computer, user name, source, risk type, or risk severity. For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server. |
Risk Distribution Over Time | This report consists of a table that displays the number of virus and security risk detections per unit of time and a relative bar. |
TruScan Proactive Threat Scan Detection Results | This report consists of a pie chart and bar graphs that display the following information:
For each list, this report displays the company name, the application hash and the version, and the computer involved. For the permitted applications, it also displays the source of the permission. |
TruScan Proactive Threat Distribution | This report consists of a pie chart that displays the top application names that have been detected with relative bars and a summary table. The detections include applications on the Commercial Applications List and Forced Detections lists. The first summary table contains the application name and the number and percentage of detections. The summary table displays the following, per detection:
|
TruScan Proactive Threat Detection over Time | This report consists of a line chart that displays the number of proactive threat detections for the time period selected. It also contains a table with relative bars that lists the total numbers of the threats that were detected over time. |
Action Summary for Top Risks | This report lists the top risks that have been found in your network. For each, it displays action summary bars that show the percentage of each action that was taken when a risk was detected. Actions include quarantined, cleaned, deleted, and so on. This report also shows the percentage of time that each particular action was the first configured action, the second configured action, neither, or unknown. |
Number of Notifications | This report consists of a pie chart with an associated relative bar. The charts show the number of notifications that were triggered by the firewall rule violations that you have configured as important to be notified about. It includes the type of notifications and the number of each. |
Number of Notifications over Time | This report consists of a line chart that displays the number of notifications in the network for the time period selected. It also contains a table that lists the number of notifications and percentage over time. You can filter the data to display by the type of notification, acknowledgment status, creator, and notification name. |
Weekly Outbreaks | This report displays the number of virus and security risk detections and a relative bar per week for each for the specified time range. A range of one day displays the past week. |
Comprehensive Risk Report | By default, this report includes all of the distribution reports and the new risks report. However, you can configure it to include only certain of the reports. This report includes the information for all domains. |
Scan Reports
Report name | Description |
Scan Statistics Histogram | This report is presented as a histogram. You can select how you want the information in the scan report to be distributed. You can select one of the following methods:
You can also configure the bin width and how many bins are used in the histogram. The bin width is the data interval that is used for the group by selection. The number of bins specifies how many times the data interval is repeated in the histogram. The information that displays includes the number of entries and the minimum and the maximum values, as well as the average and the standard deviation. You might want to change the report values to maximize the information that is generated in the report's histogram. For example, you might want to consider the size of your network and the amount of information that you view. |
Computers by Last Scan Time | This report shows a list of computers in your security network by the last time scanned. It also includes the IP address and the name of the user that was logged in at the time of the scan. |
Computers Not Scanned | This report shows a list of computers in your security network that have not been scanned. This report provides the following additional information:
|
System Reports
Report name | Description |
Top Clients That Generate Errors | This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by client. |
Top Servers That Generate Errors | This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by server. |
Top Enforcers That Generate Errors | This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by Enforcer. |
Database Replication Failures Over Time | This report consists of a line chart with an associated table that lists the replication failures for the time range selected. |
Site Status | This report displays the current status and throughput of all servers in your local site. It also shows information about client installation, client online status, and client log volume for your local site. The data this report draws from is updated every ten seconds, but you need to rerun the report to see updated data. Note: If you have multiple sites, this report shows the total installed and online clients for your local site, not all your sites. If you have site or domain restrictions as an administrator, you only see the information that you are allowed to see. The health status of a server is classified as follows:
For each server, this report contains the status, health status and reason, CPU and memory usage, and free disk space. It also contains server throughput information, such as policies downloaded, and site throughput sampled from the last heartbeat. It includes the following site throughput information:
Online has the following meanings in this report:
|
References
2009081410023948 - About Application and Device Control reports and logs
2009081410270748 - About Compliance reports and logs
2009081410381448 - About Computer Status reports and logs
2009081410460448 - About Network Threat Protection reports and logs
2009081410532848 - About Risk reports and logs