Generated reports layout and data

Article Id: 179062
Status: Published
Updated On: 06-06-2017 12:47
Legacy Id: HOWTO126099
Products:
Messaging Gateway
Issue/Introduction:

 

Resolution:

Use the following information to help you understand the layout and data that appears in the reports that you generate.

Table: Report layout provides information about how reports are displayed.

Table: Report layout

Element

Description

Graphs and tables

You can specify whether you want the report data to appear in a graph, table, or both. Graph and table options are not available for the Executive Summary report.

The options for displaying report data for graphs and tables are as follows:

  • Graph - overview

    Graphs each category of report data.

    This graph does not contain the summary information (sums and averages for the entire time period) listed in the overview table.

  • Graph - all others (non-overview)

    Displays bar graph(s) for each item in the report type chosen.

    For the reports other than the summary reports, a maximum of 20 items can be displayed in a bar graph.

  • Table

    Creates numeric a representation of the report data.

    For all reports, a table report can list more than 20 items.

The method to save graphs and tables to files depends on the report, its format, and whether you save or email the report.

See Saving generated reports.

See Emailing generated reports.

Number of rows

The maximum size for any report (including a scheduled report) is 1,000 rows. If you encounter this limitation, shorten the time range, group by a longer time interval, or decrease the top entries field (applicable to some reports).

Note:

This limitation is not configurable.

Extra bars in report graphs

The current fractional hour is included in report graphs in its own bar. This information ensures that the entirety of the selected time range is displayed. This extra bar usually portrays noticeably less data than the rest of the bars.

Consider the following examples:

  • You run a report for the past hour at 2:22 P.M. Tuesday:

    • The resulting data set is from 1:00 P.M. until 2:22 P.M.

    • The data appears by hour, spread across two bars.

  • You run a report for the past 24 hours at 2:22 P.M. Tuesday:

    • The resulting data is from 2:00 P.M. Monday until 2:22 P.M. Tuesday.

    • The data appears by hour, spread across 25 bars.

Time ranges

Report statistics are stored in units from 0 minutes, 0 seconds to 59 minutes, 59 seconds of every hour. For example, from 1:00 A.M. to 1:59 A.M. is one unit and from 2:00 A.M. to 2:59 A.M. is another unit. Because of this scheme, reports cannot be displayed with a time range less than an hour or grouped by a period less than an hour.

Table: Report data details provides the information to help you interpret the information in reports.

Table: Report data details

Issue

Description

What constitutes a threat

The summary reports and the Dashboard contain threat summary graphs and tables. A threat is a harmful attribute or potentially harmful attribute of an email message. For example, threats include spam, malware, and content filtering policy violations. Similar message verdicts are grouped into threat categories.

Single threat, multiple threat, and clean messages

The summary reports and the Dashboard categorize messages into single threat, multiple threat, and clean messages. Multiple threat messages contain more than one type of threat. For example, a message that contains spam and malware is a multiple threat message. Clean messages contain no known threats.

Message and connection counts

The appliance uses many technologies to track email and filter email. Some of these technologies function at the email connection level before an actual email message can be generated and sent. When a connection is rejected or deferred because it triggered a bad reputation filter, that connection is counted as one message.

Verdicts of suspect virus messages

If a message is routed to the Suspect Virus Quarantine, the outcome of rescanning the message is not counted toward total threat counts. However, the outcome of rescanning the message is displayed in the Suspect Virus Outcomes graph. The graph indicates whether quarantined suspect viruses were deleted, determined to be viruses or not, or are still in the Suspect Virus Quarantine.

Sender HELO domain or IP connection shows gateway information

If any Scanners accept relayed messages from a gateway computer, the SMTP HELO name is the name or IP address of the gateway computer. The IP connection address is the IP address of the computer that is connected to the gateway computer.

Affected reports are as follows:

  • Top Sender HELO Domains

    All Top Sender HELO Domain reports are affected

  • Top Sender IP Connections

    All Top Sender IP Connections reports are affected

  • Top Succeeded Connections SMTP report

  • Top Failed Connections SMTP report

  • Top Rejected Connections SMTP report

The process to determine which IP address Symantec Messaging Gateway uses is as follows:

  1. Symantec Messaging Gateway first checks if the connecting IP address is outside the internal range. If it is, the connecting IP address is the logical IP address.

  2. If the connecting IP address is inside the internal range, Symantec Messaging Gateway walks through the received headers. It starts this process by considering the first received header as the current received header.

  3. If the current received header has one IP address, Symantec Messaging Gateway checks if it is outside the internal range. If it is, this IP address is the logical IP address.

  4. If the current received header has one IP address and it is inside the internal range, Symantec Messaging Gateway looks for the next received header.

  5. If there is a next received header, Symantec Messaging Gateway makes it the new, current received header and loops back to step 3.

  6. If there are no more received headers, then the chain successfully ends on an internal IP address. Symantec Messaging Gateway uses the connecting IP address as the logical IP address.

  7. If Symantec Messaging Gateway is unable to successfully walk through all of the received headers because one of them contains either 0 or multiple IP addresses, it considers the header chain broken. Symantec Messaging Gateway reports the IP address as 255.255.255.255.

Processed message count

For the reports that list the number of processed messages, the number of processed messages is counted per message, not per recipient. For example, if a single message lists 12 recipients, the processed message count increases by 1, not 12.

How duplicate verdicts per messages are reported

Each email message can have multiple recipients and multiple threats. Different recipients in the same email message may have different threats triggered. This situation occurs because the different recipients may belong to different policy groups. For example, recipients in group A may have content filtering enabled for employee data protection terms, while recipients in group B may not.

Some verdicts have names associated with them to describe unique instances of that verdict type. For example, a known virus may be called W32.Zoltan or VBS.Throckmorton. Each named verdict is counted separately. If both W32.Zoltan and VBS.Throckmorton are found one or more times in a message, the malware count increases by two. The message is considered a multiple threat message.

The following verdicts have unique names:

  • Content filtering policies

  • Malware

  • Viruses

  • Worms

Verdicts that are not included in this list are counted once per message regardless of the number of occurrences of the verdict in the message. For example, a single message is sent to three recipients. The message to recipient A has two matches for encrypted content. The same message that is sent to recipient B has two matches for encrypted content. That same message that is sent to recipient C has no matches. The total count of encrypted content for the message is one. The malware threat count for the message is one (encrypted content counts as a malware without a unique name). If no other threats are detected in the message, it is considered a single threat message.

See Threat category components.

See Creating and configuring reports.

See Report types.