About the different types of Symantec Endpoint Protection Manager Reports

Article:TECH95538  |  Created: 2009-01-14  |  Updated: 2009-01-14  |  Article URL http://www.symantec.com/docs/TECH95538
Article Type
Technical Solution


Issue



What are the different types of reports that can be run in the Symantec Endpoint Protection Manager?



What information do the different reports in the Symantec Endpoint Protection Manager show?


Solution



Report Types


      Report typeDescription
      Application and Device ControlDisplays information about events where some type of behavior was blocked. These reports include information about application security alerts, blocked targets, and blocked devices. Blocked targets can be registry keys, dlls, files, and processes.
      AuditDisplays information about the policies that clients and locations use currently.
      ComplianceDisplays information about the compliance status of your network. These reports include information about Enforcer servers, Enforcer clients, Enforcer traffic, and host compliance.
      Computer StatusDisplays information about the operational status of the computers in your network, such as which computers have security features turned off. These reports include information about versions, the clients that have not checked in to the server, client inventory, and online status.
      Network Threat ProtectionDisplays information about intrusion prevention, attacks on the firewall, and about firewall traffic and packets.
      RiskDisplays information about risk events on your management servers and their clients. It includes information about TruScan proactive threat scans.
      ScanDisplays information about antivirus and antispyware scan activity.
      SystemDisplays information about event times, event types, sites, domains, servers, and severity levels.


      Note: Some predefined reports contain information that is obtained from Symantec Network Access Control. If you have not purchased that product, but you run one of that product's reports, the report is empty.




    About reports

    • Quick Reports
      Quick reports are printable reports available on-demand from the Quick Reports tab on the Reports page.

      Quick report types
      Report typeDescription
      Application and Device ControlThe Application and Device Control reports contain information about events where access to a computer was blocked or a device was kept off the network.
      AuditThe Audit report contains information about policy modification activities, such as the event times and types, policy modifications, domains, sites, administrators, and descriptions.
      ComplianceThe Compliance reports contain information about the Enforcer server, the Enforcer clients, the Enforcer traffic, and host compliance.
      Computer StatusThe Computer Status reports contains information about the real-time operational status of the computers in the network.
      Network Threat ProtectionThe Network Threat Protection reports allow you to track a computer's activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections.
      RiskThe Risk reports include information about risk events on your management servers and their clients.
      ScanThe Scan reports provide information about antivirus and antispyware scan activity.
      SystemThe System reports contain information that is useful for troubleshooting client problems.

      This section describes the reports by name and their general content. You can configure Basic Settings and Advanced Settings for all reports to refine the data you want to view. You can also save your custom filter with a name to run the same custom report at a later time.

      If you have multiple domains in your network, many reports allow you to view data for all domains, one site, or a few sites. The default for all quick reports is to show all domains, groups, servers, and so on, as appropriate for the report you select to create.

      Note:If you have only Symantec Network Access Control installed, a significant number of reports are empty. The Application and Device Control, Network Threat Protection, Risk, and Scan reports do not contain data. The Compliance and Audit reports do contain data, as do some of the Computer Status and System reports.

      For a description of each configurable option, you can click Tell me more for that type of report on the Symantec Endpoint Protection Manager Console. Tell me more displays the context-sensitive Help.


    • Application and Device Control Reports

      Report nameDescription
      Top Groups With Most Alerted Application Control LogsThis report consists of a pie chart with the relative bars. It shows the groups with the application control logs that have generated the largest number of security alerts.
      Top Targets BlockedThis report consists of a pie chart with relative bars for each of the following targets, if applicable:
      • Top Files
      • Top Registry Keys
      • Top Processes
      • Top Modules (dlls)
      Top Devices BlockedThis report consists of a pie chart with a relative bar that shows the devices most frequently blocked from access to your network.

      • Audit Reports

        Report nameDescription
        Policies UsedThis report displays the policies that clients and locations use currently. Information includes the domain name, group name, and the serial number of the policy that is applied to each group.


      • Compliance Reports

        Report nameDescription
        Network Compliance StatusThis report consists of a line chart and a table. It displays the event time, number of attacks, and the percentage of attacks that are involved in each.
        You can display the total number of clients to which the following compliance actions have been applied over the time range that you select:
        • Authenticated
        • Disconnected
        • Failed
        • Passed
        • Rejected
        Compliance StatusYou can select an action to display a line chart that shows one of the following:
        • The total number of clients that have passed a host integrity check in your network over the time range that you select
        • The total number of clients that have failed a host integrity check in your network over the time range that you select
        • This report also includes a table that displays the event time, number of clients, and the percentage of clients that are involved in each.
        Clients by Compliance Failure SummaryThis report consists of a bar chart that shows the following information:
        • A count of the unique workstations by the type of control failure event, such as antivirus, firewall, or VPN.
        • The total number of clients in the group.
        Compliance Failure DetailsThis report consists of a table that displays the number of unique computers by control failure. It shows the criteria and the rule that is involved in each failure. It includes the percentage of clients that are deployed and the percentage that failed.
        Non-compliant Clients by LocationThis report consists of a table that shows the compliance failure events. These events display in groups that are based on their location. Information includes the unique computers that failed, and the percentage of total failures and location failures.


      • Computer Status Reports

        Report nameDescription
        Virus Definitions DistributionThis report displays the unique virus definitions file versions that are used throughout your network and the number of computers and percentage using each version. It consists of a pie chart, a table, and relative bars.
        Computers Not Checked into ServerThis report displays a list of all the computers that have not checked in with their server. It also displays the computer's IP address, the time of its last check-in, and the user that was logged in at that time.
        Symantec Endpoint Protection Product VersionsThis report displays the list of version numbers for all the Symantec Endpoint Protection product versions in your network. It also includes the domain and server for each, as well as the number of computers and percentage of each. It consists of a pie chart and relative bars.
        Intrusion Prevention Signature Distribution This report displays the IPS signature file versions that are used throughout your network. It also includes the domain and server for each, as well as the number of computers and percentage of each. It consists of a pie chart and relative bars.
        Client InventoryThis report consists of the following charts with relative bars that display the total number of computers and percentage of each:
        • Operating System
        • Total Memory
        • Free Memory
        • Total Disk Space
        • Free Disk Space
        • Processor Type
        Compliance Status DistributionThis report consists of a pie chart with relative bars that show compliance passes and failures by group or by subnet. It shows the number of computers and the percentage of computers that are in compliance.
        Client Online StatusThis report consists of pie charts with relative bars per group or per subnet. It displays the percentage of your computers that are online.
        Online has the following meanings:
        • For the clients that are in push mode, online means that the clients are currently connected to the server.
        • For the clients that are in pull mode, online means that the clients have contacted the server within the last two client heartbeats.
        • For the clients in remote sites, online means that the clients were online at the time of the last replication.
        Clients With Latest Policy This report consists of pie charts with relative bars per group or subnet. It displays the number of computers and percentage that have the latest policy applied.
        Client Count by GroupThis report consists of a table that lists host information statistics by group. It lists the number of clients and users. If you use multiple domains, this information appears by domain.
        Security Status SummaryThis report reflects the general security status of the network.
        This report displays the number and percentage of computers that have the following status:
        • The Antivirus Engine is off.
        • Auto-Protect is off.
        • Tamper Protection is off.
        • Restart is required.
        • A Host Integrity check failed.
        • Network Threat Protection is off.
        Protection Content VersionsThis report displays all the proactive protection content versions that are used throughout your network in a single report. One pie chart is displayed for each type of protection.
        The following content types are available:
        • Decomposer versions
        • Eraser Engine versions
        • TruScan Proactive Threat Scan Content versions
        • TruScan Proactive Threat Scan Engine versions
        • Commercial Application List versions
        • Proactive Content Handler Engine versions
        • Permitted Applications List versions
        • The new content types that Symantec Security Response has added
        Client MigrationThis report consists of tables that describe the migration status of clients by domain, group, and server. It displays the client IP address and whether the migration succeeded, failed, or has not yet started.
        Client Software Rollout (Snapshots)
        This report is available as a scheduled report only.
        This report consists of tables that track the progression of client package deployments. The snapshot information lets you see how quickly the rollout progresses, as well as how many clients are still not fully deployed.
        Clients Online/Offline Over Time (Snapshots)
        This report is available as a scheduled report only.
        This report consists of line charts and tables that show the number of clients online or offline. One chart displays for each of the top targets. The target is either a group or an operating system.
        Clients With Latest Policy over Time (Snapshots)
        This report is available as a scheduled report only.
        This report consists of a line chart that displays the clients that have the latest policy applied. One chart displays for each of the top clients.
        Non-compliant Clients Over Time (Snapshots)
        This report is available as a scheduled report only.
        This report consists of a line chart that shows the percentage of clients that have failed a host integrity check over time. One chart displays for each of the top clients.
        Virus Definition Rollout (Snapshots)
        This report is available as a scheduled report only.
        This report lists the virus definitions package versions that have been rolled out to clients. This information is useful for tracking the progress of deploying of new virus definitions from the console.


      • Network Threat Protection Reports

        Report nameDescription
        Top Targets AttackedThis report consists of a pie chart with relative bar. You can view information using groups, subnets, clients, or ports as the target. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
        Top Sources of AttackThis report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
        Top Types of AttackThis report consists of a pie chart with associated relative bars. It includes information such as the number and percentage of events. It also includes the group and severity, as well as the event type and number by group.
        Top Blocked ApplicationsThis report consists of a pie chart with relative bars that show the top applications that were prevented from accessing your network. It includes information such as the number and percentage of attacks, the group and severity, and the distribution of attacks by group.
        Attacks over TimeThis report consists of one or more line charts that display attacks during the selected time period. For example, if the time range is the last month, the report displays the total number of attacks per day for the past month. It includes the number and percentage of attacks. You can view attacks for all computers, or by the top operating systems, users, IP addresses, groups, or attack types.
        Security Events by SeverityThis report consists of a pie chart that displays the total number and percentage of security events in your network, ranked according to their severity.
        Blocked Applications Over TimeThis report consists of a line chart and table. It displays the total number of applications that were prevented from accessing your network over a time period that you select. It includes the event time, the number of attacks, and the percentage. You can display the information for all computers, or by group, IP address, operating system, or user.
        Traffic Notifications Over TimeThis report consists of a line chart. It shows the number of notifications that were based on firewall rule violations over time. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can display the information in this report for all computers, or by group, IP address, operating system, or user.
        Top Traffic NotificationsThis report consists of a pie chart with relative bars that lists the group or subnet, and the number and percentage of notifications. It shows the number of notifications that were based on firewall rule violations that you configured as important to be notified about. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can view information for all, for the Traffic log, or for the Packet log, grouped by top groups or subnets.
        Full ReportThis report gives you the following Network Threat Protection information in a single report:
        • Top Types of Attack
        • Top Targets Attacked by Group
        • Top Targets Attacked by Subnet
        • Top Targets Attacked by Client
        • Top Sources of Attack
        • Top Traffic Notifications by Group (Traffic)
        • Top Traffic Notifications by Group (Packets)
        • Top Traffic Notifications by Subnet (Traffic)
        • Top Traffic Notifications by Subnet (Packets)
        • This report includes the information for all domains.


      • Risk Reports

        Report nameDescription
        Infected and At Risk ComputersThis report consists of two tables. One table lists computers that have a virus infection. The other table lists the computers that have a security risk that has not yet been remediated.
        Detection Action SummaryThis report consists of a table that shows a count of all the possible actions that were taken when risks were detected. The possible actions are Cleaned, Suspicious, Blocked, Quarantined, Deleted, Newly Infected, and Still Infected. This information also appears on the Symantec Endpoint Protection Home page.
        Risk Detections CountThis report consists of a pie chart, a risk table, and an associated relative bar. It shows the total number of risk detections by domain, server, or computer. If you have legacy Symantec AntiVirus clients, the report uses the server group rather than the domain.
        New Risks Detected in the NetworkThis report includes a table and a distribution pie chart.
        For each new risk, the table provides the following information:
        • Risk name
        • Risk category or type
        • First discovered date
        • First occurrence in the organization
        • Scan type that first detected it
        • Domain where it was discovered (server group on legacy computers)
        • Server where it was discovered (parent server on legacy computers)
        • Group where it was discovered (parent server on legacy computers)
        • The computer where it was discovered and the name of the user that was logged on at the time

        The pie chart shows new risk distribution by the target selection type: domain (server group on legacy computers), group, server (parent server on legacy computers), computer, or user name.
        Top Risk Detections CorrelationThis report consists of a three-dimensional bar graph that correlates virus and security risk detections by using two variables. You can select from computer, user name, domain, group, server, or risk name for the x and y axis variables. This report shows the top five instances for each axis variable. If you selected computer as one of the variables and there are fewer than five infected computers, non-infected computers may appear in the graph.

        Note:
        For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server.
        Risk Distribution SummaryThis report includes a pie chart and an associated bar graph that displays a relative percentage for each unique item from the chosen target type. For example, if the chosen target is risk name, the pie chart displays slices for each unique risk. A bar is shown for each risk name and the details include the number of detections and its percentage of the total detections. Targets include the risk name, domain, group, server, computer, user name, source, risk type, or risk severity. For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server.
        Risk Distribution Over TimeThis report consists of a table that displays the number of virus and security risk detections per unit of time and a relative bar.
        TruScan Proactive Threat Scan Detection Results This report consists of a pie chart and bar graphs that display the following information:
        • A list of the applications that are labeled as risks that you have added to your exceptions as acceptable in your network.
        • A list of the applications that have been detected that are confirmed risks.
        • A list of the applications that have been detected but whose status as a risk is still unconfirmed.

        For each list, this report displays the company name, the application hash and the version, and the computer involved. For the permitted applications, it also displays the source of the permission.
        TruScan Proactive Threat DistributionThis report consists of a pie chart that displays the top application names that have been detected with relative bars and a summary table. The detections include applications on the Commercial Applications List and Forced Detections lists. The first summary table contains the application name and the number and percentage of detections.
        The summary table displays the following, per detection:
        • Application name and hash
        • Application type, either keylogger, Trojan horse, worm, remote control, or commercial keylogger
        • Company name
        • Application version
        • Number of unique computers that have reported the detection
        • Top three path names in the detections
        • Date of last detection
        TruScan Proactive Threat Detection over TimeThis report consists of a line chart that displays the number of proactive threat detections for the time period selected. It also contains a table with relative bars that lists the total numbers of the threats that were detected over time.
        Action Summary for Top RisksThis report lists the top risks that have been found in your network. For each, it displays action summary bars that show the percentage of each action that was taken when a risk was detected. Actions include quarantined, cleaned, deleted, and so on. This report also shows the percentage of time that each particular action was the first configured action, the second configured action, neither, or unknown.
        Number of NotificationsThis report consists of a pie chart with an associated relative bar. The charts show the number of notifications that were triggered by the firewall rule violations that you have configured as important to be notified about. It includes the type of notifications and the number of each.
        Number of Notifications over TimeThis report consists of a line chart that displays the number of notifications in the network for the time period selected. It also contains a table that lists the number of notifications and percentage over time. You can filter the data to display by the type of notification, acknowledgment status, creator, and notification name.
        Weekly OutbreaksThis report displays the number of virus and security risk detections and a relative bar per week for each for the specified time range. A range of one day displays the past week.
        Comprehensive Risk ReportBy default, this report includes all of the distribution reports and the new risks report. However, you can configure it to include only certain of the reports. This report includes the information for all domains.


      • Scan Reports

        Report nameDescription
        Scan Statistics HistogramThis report is presented as a histogram. You can select how you want the information in the scan report to be distributed. You can select one of the following methods:
        • By the scan time (in seconds)
        • By the number of risks detected
        • By the number of files with detections
        • By the number of files that are scanned
        • By the number of files that are omitted from scans

        You can also configure the bin width and how many bins are used in the histogram. The bin width is the data interval that is used for the group by selection. The number of bins specifies how many times the data interval is repeated in the histogram.

        The information that displays includes the number of entries and the minimum and the maximum values, as well as the average and the standard deviation.

        You might want to change the report values to maximize the information that is generated in the report's histogram. For example, you might want to consider the size of your network and the amount of information that you view.
        Computers by Last Scan Time This report shows a list of computers in your security network by the last time scanned. It also includes the IP address and the name of the user that was logged in at the time of the scan.
        Computers Not ScannedThis report shows a list of computers in your security network that have not been scanned.

        This report provides the following additional information:
        • The IP address
        • The time of the last scan
        • The name of the current user or the user that was logged on at the time of the last scan


      • System Reports

        Report nameDescription
        Top Clients That Generate ErrorsThis report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by client.
        Top Servers That Generate ErrorsThis report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by server.
        Top Enforcers That Generate ErrorsThis report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by Enforcer.
        Database Replication Failures Over TimeThis report consists of a line chart with an associated table that lists the replication failures for the time range selected.
        Site StatusThis report displays the current status and throughput of all servers in your local site. It also shows information about client installation, client online status, and client log volume for your local site. The data this report draws from is updated every ten seconds, but you need to rerun the report to see updated data.

        Note:
        If you have multiple sites, this report shows the total installed and online clients for your local site, not all your sites.

        If you have site or domain restrictions as an administrator, you only see the information that you are allowed to see.

        The health status of a server is classified as follows:
        • Good: The server is up and works normally
        • Poor: The server is low on memory or disk space, or has a large number of client request failures.
        • Critical: The server is down

        For each server, this report contains the status, health status and reason, CPU and memory usage, and free disk space. It also contains server throughput information, such as policies downloaded, and site throughput sampled from the last heartbeat.
        It includes the following site throughput information:
        • Total clients installed and online
        • Policies downloaded per second
        • Intrusion Prevention signatures downloaded per second
        • Learned applications per second
        • Enforcer system logs, traffic logs, and packet logs per second
        • Client information updates per second
        • Client security logs, system logs, traffic logs, and packet logs received per second
        • Application and device control logs received per second

        Online has the following meanings in this report:
        • For the clients that are in push mode, online means that the clients are currently connected to the server.
        • For the clients that are in pull mode, online means that the clients have contacted the server within the last two client heartbeats.
        • For the clients in remote sites, online means that the clients were online at the time of the last replication.


      References
      2009081410023948 - About Application and Device Control reports and logs




      Legacy ID



      2009081409151448


      Article URL http://www.symantec.com/docs/TECH95538


      Terms of use for this information are found in Legal Notices