Risk logs and quick reports

The Risk logs and reports include information about risk events on your server and their clients. Information available includes the event time, event actual action, user name, computer, risk name source, count, and file path.
Some scan actions in the logs and reports might recommend that you run Power Eraser on certain detections. In some logs and reports, you can filter on
Action taken
to check for these recommendations.
Power Eraser detections do not appear in Risk reports. Power Eraser is an aggressive scan that flags potential risks. Since the scan results might inflate the actual detection count, these detections are not included in the reports. The detections do appear in the logs, however, so that the administrator can take action on the potential risks.
Actions describes the options in the Risk logs.
Basic Settings filter options for Risk quick reports describes the filter options for a few of the quick reports.
The following table describes the Additional Settings filter options for the logs and quick reports.
Additional Settings filter options for views of the Risk logs and quick reports
Option
Description
Action taken
Specifies the action taken that you want to view information about.
Select one of the following actions:
  • All
  • Access denied
    View events where the Auto-Protect portion of
    Symantec Endpoint Protection
    prevented a file from being created.
  • Action invalid
    View events where the action taken was invalid. These risks may still be present on the computer.
  • All actions failed
    View events where both the primary action and the secondary action that is configured for the risk cannot be carried out for some reason.
  • Bad
    View events where scan engine failure occurred for an unspecified reason. These risks may still be present on the computer.
  • Cleaned
    View events where the software cleaned a virus from the computer.
  • Cleaned by deletion
    View events where the action configured was “clean,” but a file was deleted because that was the only way to clean it. For example, this action is generally needed for Trojan horse programs.
  • Cleaned or macros deleted
    View the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to events that have been received from computers running Symantec AntiVirus 8.x or earlier versions.
  • Deleted or removed
    View the events where the software deleted an object, such as a file or a registry key, to remove a risk.
  • Excluded
    View the events where users chose to exclude a security risk from detection. For example, this action can occur when a user is prompted for permission to terminate a process.
  • Left alone
    Specifies the events where a risk was left alone. This action can occur if the first configured action is Leave alone. This action can also occur if the second configured action is
    Leave alone
    and the first configured action is not successful. This action may mean that a risk is active on the computer.
  • No repair available
    View the events where a risk was detected but no repair is available for the side effects of this risk.
  • No repair available - Power Eraser recommended for repair
    View the events where a scan cannot repair the side effects of certain detections. You should run Power Eraser on the computers where these events occur. After Power Eraser detects the threat, you must manually initiate the repair.
  • Partially repaired
    View the events where
    Symantec Endpoint Protection
    cannot completely repair the effects of a virus or security risk.
  • Pending repair or Pending admin action
    View the events where a user or administrator should take action to complete the remediation of a risk on a computer. For example, the
    Pending repair
    action might occur if a user hasn’t responded to a prompt to terminate a process.
    Pending admin action
    occurs when Power Eraser requires the administrator to perform some action from the logs in the console.
  • Process terminated
    View the events where a process had to be terminated on a computer to mitigate a risk.
  • Process termination pending restart
    View the events where a computer needs to be restarted to terminate a process to mitigate a risk.
  • Quarantined
    View the events where
    Symantec Endpoint Protection
    quarantined a virus or a security risk.
  • Restored
    View the Power Eraser events that the administrator deleted but then chose to restore.
  • Suspicious
    View the events where a SONAR scan detected a potential risk but has not remediated it, either because it cannot or because you have configured it to only log detections.
  • Threat blocked - Power Eraser recommended for repair
    View the events where a scan detected and blocked a threat but did not remove or repair any files. You should run Power Eraser on the computers where these events occur. After Power Eraser detects the threat, you must manually initiate the repair.
  • Restart required - Quarantined
    View the events that require a restart after scans quarantine risks.
  • Restart required - Cleaned
    View the events that require the client computer to restart after scans clean the risks.
  • Left alone by Admin
    View the Power Eraser events that the administrator reviewed but chose to leave alone and not remediate. Note that this event action is not sent to the client. The corresponding event on the client in the client log view continues to show the event action as “Pending analysis.”
Scan type
Specifies the type of scan that you want to view information about. For example, you can select
Scheduled scan
,
Console
, or
Idle scan
.
Scheduled scan
includes all of the scheduled scan types:
Active Scan
,
Full Scan
, or
Custom Scan
.
Risk type
Specifies the type of risk that you want to view information about. For example, you can select
Malware
,
Cookie
, or
Remote access
.
  • Event type
  • Domain
  • Group
  • Server
  • Computer
  • IP address
  • User
  • Operating system
Risk name
If you know the name of the risk, then use this option.
You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input.
Application
Specifies the name of the application that you want to view information about.
You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input.
The following table describes the exceptions you can add to the Exceptions policy from the Risks log. Select the exception and click
Apply
.
Actions
Option
Description
Allow application
Creates an application exception with an action of Ignore. The file is identified by its hash. The exception applies to both SONAR and any virus and spyware scan.
Block application
Creates a SONAR application exception with an action of Quarantine. The file is identified by its hash.
Add file to Exceptions policy
Creates an exception for the detected file so that virus and spyware scans no longer detect the file. The file is identified by its file path.
Add folder to Exceptions policy
Creates an exception for the folder where the detected files resides. Applies only to virus and spyware scans, not to SONAR scans. The exception does not automatically include subfolders.
Trust Web domain
Creates a trusted Web domain exception that applies to the URL from which the file was downloaded. The exception only applies to files Download Insight detected.
Add risk to Exceptions policy
Creates a known risk exception. Applies only to files that are detected as security risks (such as adware or spyware) that are known security risks.
Add extension to Exceptions policy
Creates an exception for the extension of the detected file. For example, if the file that you select has an extension of .doc, then DOC is added to the list of extensions that virus and spyware scans do not scan.
Delete from Quarantine
Removes the selected file from the client computers’ quarantine.
Download file that the client quarantined
Downloads the files that the client detected as a risk, quarantined, and uploaded to the management server. Use this command to access the file for further analysis.
Downloaded quarantined files support replication.
Start Power Eraser Analysis
Runs Power Eraser on the selected risks. Symantec Endpoint Protection sometimes recommends that you run a Power Eraser on a detected risk.
Delete a risk that Power Eraser detected
Removes the selected risks that Power Eraser detected on client computers. Use this command to manually remove risks that Power Eraser detected. Power Eraser does not remove risks automatically.
Restore a risk that Power Eraser deleted
Restores files that Power Eraser detected and that you or another administrator previously removed.
Ignore a risk that Power Eraser detected
Acknowledges the selected detections. Use this command after you have reviewed the selected detections and decided to leave them alone.
Basic Settings filter options for Risk quick reports
Option
Description
Group by
Specifies the target that you want to see information about.
For example, for
Risks Detections Count
, you can group by
Computer
.
For example, for
New Risks Detected in the Network
, you can select
Group
or
User name
.
For example, for
Risk Distribution Summary
, you can select
Risk name
or
Source
.
Configure
. . .
This option is only available for the
Comprehensive Risk Report
.
By default, the
Comprehensive Risk Report
includes all of the distribution reports and the new risks. You can click this option to limit the data in this report.
X-axis
Specifies the variable you want to use on the X-axis of the 3D-bar graph. For example, you can select
User name
or
Server
.
The graph displays the top five instances of this axis variable. If you selected computer as one of the variables and there are fewer than five infected computers, non-infected computers may appear in the graph.
This option is only available for the
Top Risk Detections Correlation
report.
Y-axis
Specifies the variable you want to use on the Y-axis of the 3D-bar graph. For example, you can select
Domain
or
Risk name
.
The graph displays the top five instances of this axis variable. If you selected computer as one of the variables and there are fewer than five infected computers, non-infected computers may appear in the graph.
This option is only available for the
Top Risk Detections Correlation
report.
Additional filter settings for the
Number of Notifications
and the
Number of Notifications Over Time
quick reports
Option
Description
Acknowledged status
Displays the notifications that you have read or not read.
Notification type
Specifies the type of notification that you want to view information about. For example, you can select
Client list change
or
New software package
.
Created by
Specifies that you want to view the notifications that have filters created by this user.
Notification name
Specifies the name of a particular notification that you want to view information about.
You can click the . . . option to select from a list of known notifications. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. You can also click the dots to select from a list of notifications. By default, all notifications that have been created are included.