About the different types of Symantec Endpoint Protection Manager Reports

book

Article ID: 177830

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What are the different types of reports that can be run in the Symantec Endpoint Protection Manager (SEPM)?

What information do the different reports in the Symantec Endpoint Protection Manager show?

Resolution

This information was gathered from the SEPM help files. For the latest version of this information please check the help files inside the SEPM.

Report Types

Report type Description
Application and Device Control Displays information about events where some type of behavior was blocked. These reports include information about application security alerts, blocked targets, and blocked devices. Blocked targets can be registry keys, dlls, files, and processes.
Audit Displays information about the policies that clients and locations use currently.
Compliance Displays information about the compliance status of your network. These reports include information about Enforcer servers, Enforcer clients, Enforcer traffic, and host compliance.
Computer Status Displays information about the operational status of the computers in your network, such as which computers have security features turned off. These reports include information about versions, the clients that have not checked in to the server, client inventory, and online status.
Network Threat Protection Displays information about intrusion prevention, attacks on the firewall, and about firewall traffic and packets.
Risk Displays information about risk events on your management servers and their clients. It includes information about TruScan proactive threat scans.
Scan Displays information about antivirus and antispyware scan activity.
System Displays information about event times, event types, sites, domains, servers, and severity levels.

 

Note: Some predefined reports contain information that is obtained from Symantec Network Access Control. If you have not purchased that product, but you run one of that product's reports, the report is empty.

 

About reports

  • Quick reports are printable reports available on-demand from the Quick Reports tab on the Reports page.

Quick report types

Report type Description
Application and Device Control The Application and Device Control reports contain information about events where access to a computer was blocked or a device was kept off the network.
Audit The Audit report contains information about policy modification activities, such as the event times and types, policy modifications, domains, sites, administrators, and descriptions.
Compliance The Compliance reports contain information about the Enforcer server, the Enforcer clients, the Enforcer traffic, and host compliance.
Computer Status The Computer Status reports contains information about the real-time operational status of the computers in the network.
Network Threat Protection The Network Threat Protection reports allow you to track a computer's activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections.
Risk The Risk reports include information about risk events on your management servers and their clients.
Scan The Scan reports provide information about antivirus and antispyware scan activity.
System The System reports contain information that is useful for troubleshooting client problems.

 

  • This section describes the reports by name and their general content. You can configure Basic Settings and Advanced Settings for all reports to refine the data you want to view. You can also save your custom filter with a name to run the same custom report at a later time.
  • If you have multiple domains in your network, many reports allow you to view data for all domains, one site, or a few sites. The default for all quick reports is to show all domains, groups, servers, and so on, as appropriate for the report you select to create.
Note: If you have only Symantec Network Access Control installed, a significant number of reports are empty. The Application and Device Control, Network Threat Protection, Risk, and Scan reports do not contain data. The Compliance and Audit reports do contain data, as do some of the Computer Status and System reports.
  • For a description of each configurable option, you can click Tell me more for that type of report on the Symantec Endpoint Protection Manager Console. Tell me more displays the context-sensitive Help.

 

Application and Device Control Reports

Report name Description
Top Groups With Most Alerted Application Control Logs This report consists of a pie chart with the relative bars. It shows the groups with the application control logs that have generated the largest number of security alerts.
Top Targets Blocked This report consists of a pie chart with relative bars for each of the following targets, if applicable:
  • Top Files
  • Top Registry Keys
  • Top Processes
  • Top Modules (dlls)
Top Devices Blocked This report consists of a pie chart with a relative bar that shows the devices most frequently blocked from access to your network.

 

Audit Reports

Report name Description
Policies Used This report displays the policies that clients and locations use currently. Information includes the domain name, group name, and the serial number of the policy that is applied to each group.

 

Compliance Reports

Report name Description
Network Compliance Status This report consists of a line chart and a table. It displays the event time, number of attacks, and the percentage of attacks that are involved in each.
You can display the total number of clients to which the following compliance actions have been applied over the time range that you select:
  • Authenticated
  • Disconnected
  • Failed
  • Passed
  • Rejected
Compliance Status You can select an action to display a line chart that shows one of the following:
  • The total number of clients that have passed a host integrity check in your network over the time range that you select
  • The total number of clients that have failed a host integrity check in your network over the time range that you select
  • This report also includes a table that displays the event time, number of clients, and the percentage of clients that are involved in each.
Clients by Compliance Failure Summary This report consists of a bar chart that shows the following information:
  • A count of the unique workstations by the type of control failure event, such as antivirus, firewall, or VPN.
  • The total number of clients in the group.
Compliance Failure Details This report consists of a table that displays the number of unique computers by control failure. It shows the criteria and the rule that is involved in each failure. It includes the percentage of clients that are deployed and the percentage that failed.
Non-compliant Clients by Location This report consists of a table that shows the compliance failure events. These events display in groups that are based on their location. Information includes the unique computers that failed, and the percentage of total failures and location failures.

 

Computer Status Reports

Report name Description
Virus Definitions Distribution This report displays the unique virus definitions file versions that are used throughout your network and the number of computers and percentage using each version. It consists of a pie chart, a table, and relative bars.
Computers Not Checked into Server This report displays a list of all the computers that have not checked in with their server. It also displays the computer's IP address, the time of its last check-in, and the user that was logged in at that time.
Symantec Endpoint Protection Product Versions This report displays the list of version numbers for all the Symantec Endpoint Protection product versions in your network. It also includes the domain and server for each, as well as the number of computers and percentage of each. It consists of a pie chart and relative bars.
Intrusion Prevention Signature Distribution This report displays the IPS signature file versions that are used throughout your network. It also includes the domain and server for each, as well as the number of computers and percentage of each. It consists of a pie chart and relative bars.
Client Inventory This report consists of the following charts with relative bars that display the total number of computers and percentage of each:
  • Operating System
  • Total Memory
  • Free Memory
  • Total Disk Space
  • Free Disk Space
  • Processor Type
Compliance Status Distribution This report consists of a pie chart with relative bars that show compliance passes and failures by group or by subnet. It shows the number of computers and the percentage of computers that are in compliance.
Client Online Status This report consists of pie charts with relative bars per group or per subnet. It displays the percentage of your computers that are online.
Online has the following meanings:
  • For the clients that are in push mode, online means that the clients are currently connected to the server.
  • For the clients that are in pull mode, online means that the clients have contacted the server within the last two client heartbeats.
  • For the clients in remote sites, online means that the clients were online at the time of the last replication.
Clients With Latest Policy This report consists of pie charts with relative bars per group or subnet. It displays the number of computers and percentage that have the latest policy applied.
Client Count by Group This report consists of a table that lists host information statistics by group. It lists the number of clients and users. If you use multiple domains, this information appears by domain.
Security Status Summary This report reflects the general security status of the network.
This report displays the number and percentage of computers that have the following status:
  • The Antivirus Engine is off.
  • Auto-Protect is off.
  • Tamper Protection is off.
  • Restart is required.
  • A Host Integrity check failed.
  • Network Threat Protection is off.
Protection Content Versions This report displays all the proactive protection content versions that are used throughout your network in a single report. One pie chart is displayed for each type of protection.
The following content types are available:
  • Decomposer versions
  • Eraser Engine versions
  • TruScan Proactive Threat Scan Content versions
  • TruScan Proactive Threat Scan Engine versions
  • Commercial Application List versions
  • Proactive Content Handler Engine versions
  • Permitted Applications List versions
  • The new content types that Symantec Security Response has added
Client Migration This report consists of tables that describe the migration status of clients by domain, group, and server. It displays the client IP address and whether the migration succeeded, failed, or has not yet started.
Client Software Rollout (Snapshots)
This report is available as a scheduled report only.
This report consists of tables that track the progression of client package deployments. The snapshot information lets you see how quickly the rollout progresses, as well as how many clients are still not fully deployed.
Clients Online/Offline Over Time (Snapshots)
This report is available as a scheduled report only.
This report consists of line charts and tables that show the number of clients online or offline. One chart displays for each of the top targets. The target is either a group or an operating system.
Clients With Latest Policy over Time (Snapshots)
This report is available as a scheduled report only.
This report consists of a line chart that displays the clients that have the latest policy applied. One chart displays for each of the top clients.
Non-compliant Clients Over Time (Snapshots)
This report is available as a scheduled report only.
This report consists of a line chart that shows the percentage of clients that have failed a host integrity check over time. One chart displays for each of the top clients.
Virus Definition Rollout (Snapshots)
This report is available as a scheduled report only.
This report lists the virus definitions package versions that have been rolled out to clients. This information is useful for tracking the progress of deploying of new virus definitions from the console.

 

Network Threat Protection Reports

Report name Description
Top Targets Attacked This report consists of a pie chart with relative bar. You can view information using groups, subnets, clients, or ports as the target. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
Top Sources of Attack This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
Top Types of Attack This report consists of a pie chart with associated relative bars. It includes information such as the number and percentage of events. It also includes the group and severity, as well as the event type and number by group.
Top Blocked Applications This report consists of a pie chart with relative bars that show the top applications that were prevented from accessing your network. It includes information such as the number and percentage of attacks, the group and severity, and the distribution of attacks by group.
Attacks over Time This report consists of one or more line charts that display attacks during the selected time period. For example, if the time range is the last month, the report displays the total number of attacks per day for the past month. It includes the number and percentage of attacks. You can view attacks for all computers, or by the top operating systems, users, IP addresses, groups, or attack types.
Security Events by Severity This report consists of a pie chart that displays the total number and percentage of security events in your network, ranked according to their severity.
Blocked Applications Over Time This report consists of a line chart and table. It displays the total number of applications that were prevented from accessing your network over a time period that you select. It includes the event time, the number of attacks, and the percentage. You can display the information for all computers, or by group, IP address, operating system, or user.
Traffic Notifications Over Time This report consists of a line chart. It shows the number of notifications that were based on firewall rule violations over time. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can display the information in this report for all computers, or by group, IP address, operating system, or user.
Top Traffic Notifications This report consists of a pie chart with relative bars that lists the group or subnet, and the number and percentage of notifications. It shows the number of notifications that were based on firewall rule violations that you configured as important to be notified about. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can view information for all, for the Traffic log, or for the Packet log, grouped by top groups or subnets.
Full Report This report gives you the following Network Threat Protection information in a single report:
  • Top Types of Attack
  • Top Targets Attacked by Group
  • Top Targets Attacked by Subnet
  • Top Targets Attacked by Client
  • Top Sources of Attack
  • Top Traffic Notifications by Group (Traffic)
  • Top Traffic Notifications by Group (Packets)
  • Top Traffic Notifications by Subnet (Traffic)
  • Top Traffic Notifications by Subnet (Packets)
  • This report includes the information for all domains.

 

Risk Reports

Report name Description
Infected and At Risk Computers This report consists of two tables. One table lists computers that have a virus infection. The other table lists the computers that have a security risk that has not yet been remediated.
Detection Action Summary This report consists of a table that shows a count of all the possible actions that were taken when risks were detected. The possible actions are Cleaned, Suspicious, Blocked, Quarantined, Deleted, Newly Infected, and Still Infected. This information also appears on the Symantec Endpoint Protection Home page.
Risk Detections Count This report consists of a pie chart, a risk table, and an associated relative bar. It shows the total number of risk detections by domain, server, or computer. If you have legacy Symantec AntiVirus clients, the report uses the server group rather than the domain.
New Risks Detected in the Network This report includes a table and a distribution pie chart.
For each new risk, the table provides the following information:
  • Risk name
  • Risk category or type
  • First discovered date
  • First occurrence in the organization
  • Scan type that first detected it
  • Domain where it was discovered (server group on legacy computers)
  • Server where it was discovered (parent server on legacy computers)
  • Group where it was discovered (parent server on legacy computers)
  • The computer where it was discovered and the name of the user that was logged on at the time

The pie chart shows new risk distribution by the target selection type: domain (server group on legacy computers), group, server (parent server on legacy computers), computer, or user name.
Top Risk Detections Correlation This report consists of a three-dimensional bar graph that correlates virus and security risk detections by using two variables. You can select from computer, user name, domain, group, server, or risk name for the x and y axis variables. This report shows the top five instances for each axis variable. If you selected computer as one of the variables and there are fewer than five infected computers, non-infected computers may appear in the graph.

Note:
For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server.
Risk Distribution Summary This report includes a pie chart and an associated bar graph that displays a relative percentage for each unique item from the chosen target type. For example, if the chosen target is risk name, the pie chart displays slices for each unique risk. A bar is shown for each risk name and the details include the number of detections and its percentage of the total detections. Targets include the risk name, domain, group, server, computer, user name, source, risk type, or risk severity. For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server.
Risk Distribution Over Time This report consists of a table that displays the number of virus and security risk detections per unit of time and a relative bar.
TruScan Proactive Threat Scan Detection Results This report consists of a pie chart and bar graphs that display the following information:
  • A list of the applications that are labeled as risks that you have added to your exceptions as acceptable in your network.
  • A list of the applications that have been detected that are confirmed risks.
  • A list of the applications that have been detected but whose status as a risk is still unconfirmed.

For each list, this report displays the company name, the application hash and the version, and the computer involved. For the permitted applications, it also displays the source of the permission.
TruScan Proactive Threat Distribution This report consists of a pie chart that displays the top application names that have been detected with relative bars and a summary table. The detections include applications on the Commercial Applications List and Forced Detections lists. The first summary table contains the application name and the number and percentage of detections.
The summary table displays the following, per detection:
  • Application name and hash
  • Application type, either keylogger, Trojan horse, worm, remote control, or commercial keylogger
  • Company name
  • Application version
  • Number of unique computers that have reported the detection
  • Top three path names in the detections
  • Date of last detection
TruScan Proactive Threat Detection over Time This report consists of a line chart that displays the number of proactive threat detections for the time period selected. It also contains a table with relative bars that lists the total numbers of the threats that were detected over time.
Action Summary for Top Risks This report lists the top risks that have been found in your network. For each, it displays action summary bars that show the percentage of each action that was taken when a risk was detected. Actions include quarantined, cleaned, deleted, and so on. This report also shows the percentage of time that each particular action was the first configured action, the second configured action, neither, or unknown.
Number of Notifications This report consists of a pie chart with an associated relative bar. The charts show the number of notifications that were triggered by the firewall rule violations that you have configured as important to be notified about. It includes the type of notifications and the number of each.
Number of Notifications over Time This report consists of a line chart that displays the number of notifications in the network for the time period selected. It also contains a table that lists the number of notifications and percentage over time. You can filter the data to display by the type of notification, acknowledgment status, creator, and notification name.
Weekly Outbreaks This report displays the number of virus and security risk detections and a relative bar per week for each for the specified time range. A range of one day displays the past week.
Comprehensive Risk Report By default, this report includes all of the distribution reports and the new risks report. However, you can configure it to include only certain of the reports. This report includes the information for all domains.

 

Scan Reports

Report name Description
Scan Statistics Histogram This report is presented as a histogram. You can select how you want the information in the scan report to be distributed. You can select one of the following methods:
  • By the scan time (in seconds)
  • By the number of risks detected
  • By the number of files with detections
  • By the number of files that are scanned
  • By the number of files that are omitted from scans

You can also configure the bin width and how many bins are used in the histogram. The bin width is the data interval that is used for the group by selection. The number of bins specifies how many times the data interval is repeated in the histogram.

The information that displays includes the number of entries and the minimum and the maximum values, as well as the average and the standard deviation.

You might want to change the report values to maximize the information that is generated in the report's histogram. For example, you might want to consider the size of your network and the amount of information that you view.
Computers by Last Scan Time This report shows a list of computers in your security network by the last time scanned. It also includes the IP address and the name of the user that was logged in at the time of the scan.
Computers Not Scanned This report shows a list of computers in your security network that have not been scanned.

This report provides the following additional information:
  • The IP address
  • The time of the last scan
  • The name of the current user or the user that was logged on at the time of the last scan

 

System Reports

Report name Description
Top Clients That Generate Errors This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by client.
Top Servers That Generate Errors This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by server.
Top Enforcers That Generate Errors This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by Enforcer.
Database Replication Failures Over Time This report consists of a line chart with an associated table that lists the replication failures for the time range selected.
Site Status This report displays the current status and throughput of all servers in your local site. It also shows information about client installation, client online status, and client log volume for your local site. The data this report draws from is updated every ten seconds, but you need to rerun the report to see updated data.

Note:
If you have multiple sites, this report shows the total installed and online clients for your local site, not all your sites.

If you have site or domain restrictions as an administrator, you only see the information that you are allowed to see.

The health status of a server is classified as follows:
  • Good: The server is up and works normally
  • Poor: The server is low on memory or disk space, or has a large number of client request failures.
  • Critical: The server is down

For each server, this report contains the status, health status and reason, CPU and memory usage, and free disk space. It also contains server throughput information, such as policies downloaded, and site throughput sampled from the last heartbeat.
It includes the following site throughput information:
  • Total clients installed and online
  • Policies downloaded per second
  • Intrusion Prevention signatures downloaded per second
  • Learned applications per second
  • Enforcer system logs, traffic logs, and packet logs per second
  • Client information updates per second
  • Client security logs, system logs, traffic logs, and packet logs received per second
  • Application and device control logs received per second

Online has the following meanings in this report:
  • For the clients that are in push mode, online means that the clients are currently connected to the server.
  • For the clients that are in pull mode, online means that the clients have contacted the server within the last two client heartbeats.
  • For the clients in remote sites, online means that the clients were online at the time of the last replication.

 

References

2009081410023948 - About Application and Device Control reports and logs

2009081410270748 - About Compliance reports and logs

2009081410381448 - About Computer Status reports and logs

2009081410460448 - About Network Threat Protection reports and logs

2009081410532848 - About Risk reports and logs

2009081411032248 - About Scan reports and logs

2009081411193948 - About System reports and logs