i have around 3000 machines. I detect some conficker infections with a next gen firewall so im pretty sure that we have incidents.
Another info, all the machine are out-of-date in the endpoint status graphic on the home. The date of the last definitions dates coincides with the last record what i get in the risk report. But when i check it directly into the clients, they are with the lasts definitions.