About the types of
Symantec Endpoint Protection Manager
reports

The following categories of reports are available:
  • Quick reports, which you run on demand.
  • Scheduled reports, which run automatically based on a schedule that you configure.
Reports include the event data that is collected from your management servers as well as from the client computers that communicate with those servers. You can customize reports to provide the information that you want to see.
The quick reports are predefined, but you can customize them and save the filters that you used to create the customized reports. You can use the custom filters to create custom scheduled reports. When you schedule a report to run, you can configure it to be emailed to one or more recipients.
A scheduled report always runs by default. You can change the settings for any scheduled report that has not yet run. You can also delete a single scheduled report or all of the scheduled reports.
Report types available as quick reports and scheduled reports
Report type
Description
Audit
Displays the information about the policies that clients and locations use currently. It includes information about policy modification activities, such as the event times and types, policy modifications, domains, sites, administrators, and descriptions.
Application and Device Control
Displays the information about events where some type of behavior was blocked. These reports include information about application security alerts, blocked targets, and blocked devices. Blocked targets can be Windows registry keys, DLLs, files, and processes.
Compliance
Displays the information about how many clients passed or failed the Host Integrity check.
Computer Status
Displays the information about the operational status of the computers in your network, such as which computers have security features turned off. These reports include information about versions, the clients that have not checked in to the server, client inventory, and online status.
Deception
Displays the information about Deception activity, such as top computers or users that report Deception activity, and top Deceptors triggered.
Network and Host Exploit Mitigation
Displays the information about intrusion prevention, attacks on the firewall, firewall traffic and packets, and Memory Exploit Mitigation.
The Network and Host Exploit Mitigation reports let you track a computer’s activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections. Memory Exploit Mitigation events list which mitigation techniques terminated an application or blocked an exploit from attacking an application.
Risk
Displays the information about risk events on your management servers and their clients. It includes information about SONAR scans.
Scan
Displays the information about virus and spyware scan activity.
System
Displays the information about event times, event types, sites, domains, servers, and severity levels. The System reports contain information that is useful for troubleshooting client problems.
If you have multiple domains in your network, many reports let you view data for all domains, one site, or a few sites. The default for all quick reports is to show all domains, groups, servers, and so on, as appropriate for the report you select to create.
The following section describes the reports by name and their general content. You can configure Basic Settings and Advanced Settings for all reports to refine the data you want to view. You can also save your custom filter with a name to run the same custom report at a later time.
Audit reports
Report name
Description
Policies Used
This report displays the policies that clients and locations use currently. Information includes the domain name, group name, and the serial number of the policy that is applied to each group.
Application and Device Control reports
Report name
Description
Top Groups With Most Alerted Application Control Logs
This report consists of a pie chart with the relative bars. It shows the groups with the application control logs that have generated the largest number of security alerts.
Top Targets Blocked
This report consists of a pie chart with the following targets, if applicable:
  • Top Files
  • Top Registry Keys
  • Top Processes
  • Top Modules (dlls)
Top Devices Blocked
This report consists of a pie chart that shows the devices most frequently blocked from access to your network.
Compliance reports
Report name
Description
Host Integrity Status
This report displays the clients that have passed or failed the Host Integrity check that runs on their computer.
Clients by Compliance Failure Summary
This report consists a bar chart that shows:
  • A count of the unique workstations by the type of control failure event, such as antivirus, firewall, or VPN
  • The total number of clients in the group
Compliance Failure Details
This report consists of a table that displays unique computers by control failure. It shows the criteria and the rule that is involved in each failure, along with the percentage of clients that are deployed and the percentage that failed.
Non-compliant Clients by Location
This report consists of a table that shows the compliance failure events. These events display in groups that are based on their location. Information includes the unique computers that failed, and the percentage of total failures and location failures.
Computer Status reports
Report name
Description
Virus Definition Distributions
This report displays the unique virus definitions file versions that are used throughout your network and the number of computers and percentage using each version.
Computers Not Recently Updated
This report displays a list of all the computers that have not been recently updated. It also displays the computer’s operating system, IP address, user name, and the last time its status was changed.
Symantec Endpoint Protection Product Versions
This report displays the list of version numbers for all the Symantec Endpoint Protection product versions in your network. It also includes the domain and server for each, as well as the number of computers and percentage of each.
Intrusion Prevention Signature Distribution
This report displays the IPS signature file versions that are used throughout your network. It also includes the domain and server for each, as well as the number of computers and percentage of each.
Download Protection Signature Distribution
This report displays the download protection signature file versions that are used throughout your network. It also includes the domain and server for each, as well as the number of computers and percentage of each.
SONAR Signature Distribution
This report displays the SONAR signature file versions that are used throughout your network. It also includes the domain and server for each, as well as the number of computers and percentage of each.
Client Inventory
This report consists of a bar chart that displays the total number of computers and percentages of:
  • Operating System
  • Total Memory
  • Free Memory
  • Total Disk Space
  • Free Disk Space
  • Processor Type
Compliance Status Distribution
This report consists of a pie chart with relative bars that show compliance passes and failures by group or by subnet. It shows the number of computers and the percentage of computers that are in compliance.
Client Online Status
This report consists of pie charts with the relative bars per group or per subnet. It displays the percentage of your computers that are online.
Online has the following meanings:
  • For the clients that are in push mode, online means that the clients are currently connected to the server
  • For the clients that are in pull mode, online means that the clients have contacted the server within the last two client heartbeats
  • For the clients in remote sites, online means that the clients were online at the time of the last replication
Clients With Latest Policy
This report consists of pie charts per group or subnet. It displays the number of computers and percentage that have the latest policy applied.
Client Count by Group
This report consists of a table that lists host information by group. It displays the number of clients and users. If you use multiple domains, this information appears by domain.
Security Status Summary
This report reflects the general security status of the network, and displays the number and percentage of computers that have the following status:
  • The Antivirus English is off
  • Auto-protect is off
  • Tamper Protection is off
  • Restart is required
  • A Host Integrity check failed
  • Network Threat Protection is off
Protection Content Versions
This report displays all the proactive protection content versions that are used throughout your network. One pie chart is displayed for each of the following types of protection:
  • Decomposer versions
  • Eraser Engine versions
  • SONAR Content versions
  • SONAR Engine versions
  • Commercial Application List versions
  • Content Handler Engine versions
  • Permitted Application List versions
  • The new content types that Symantec Security Response has added
Symantec Endpoint Protection Licensing Status
This report contains days remaining for trial license expiration and instructions to add new licenses.
Client Inventory Details
This report contains details of client inventory, such as computer specifications and signatures.
Client Software Rollout (Snapshots)
Scheduled report only
This report consists of tables that track the progression of client package deployments. The snapshot information lets you see how quickly the rollout progresses, and how many clients are still not fully deployed.
Clients Online/Offline Over Time (Snapshots)
Scheduled report only
This report consists of line charts and tables that shows the number of clients online or offline. One chart displays for each of the top targets. The target is either a group or an operating system.
Clients With Latest Policy Over Time (Snapshots)
Scheduled report only
This report consists of a line chart that displays the clients that have the latest policy applied. One chart displays for each of the top clients.
Non-Compliant Clients Over Time (Snapshots)
Scheduled report only
This report consists of a line chart that shows the percentage of clients that have failed a host integrity check over time. One chart displays for each of the top clients.
Virus Definition Rollout (Snapshots)
Scheduled report only
This report lists the virus definitions package versions that have been rolled out to clients. This information is useful for tracking the progress of deploying new virus definitions from the console.
Deployment Report
This report summarizes the state of client installations and deployments.
Network and Host Exploit Mitigation reports
Report name
Description
Top Targets Attacked
Includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks. You can view information using groups, subnets, clients, or ports as the target.
Top Sources of Attack
Shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
Top Types of Attack
Includes information such as the number and percentage of events, the group and severity, and the event type and number by group.
Top Blocked Applications
Shows the top applications that were prevented from accessing your network. It includes information such as the number and percentage of attacks, the group and severity, and the event type and number by group.
Attacks Over Time
Shows the attacks during the selected time period. For example, if the time range is the last month, the report displays the total number of attacks per day for the past month. It includes the number and percentage of attacks. You can view attacks for all computers, or by the top operating systems, users, IP addresses, groups, or attack types.
Security Events by Severity
Displays the total number and percentage of security events in your network, ranked according to their severity.
Blocked Applications Over Time
Displays the total number of applications that were prevented from accessing your network over a time period that you select. It includes the event time, the number of attacks, and the percentage. You can display the information for all computers, or by group, IP address, operating system, or user.
Traffic Notifications Over Time
Shows the number of notifications that were based on firewall rule violations over time. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can display the information in this report for all computers, or by group, IP address, operating system, or user.
Top Traffic Notifications
Lists the group or subnet, and the number and percentage of notifications. It shows the number of notifications that were based on firewall rule violations that you configured as important to be notified about. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can view information for all, for the Traffic log, or for the Packet log, grouped by top groups or subnets.
Memory Exploit Mitigation Detections
Displays the number of memory exploit mitigation types that have been blocked or allowed.
Top URL Detections
Lists the URLs that URL reputation blocks.
Full Report
Lists the top Network Threat Protection items in a single report.
Risk reports
Report name
Description
Infected and At Risk Computers
This report consists of two tables. One table lists computers that have a virus infection, and the other table lists the computers that have a security risk that has not yet been remediated.
Action List
This report consists of a table that shows a count of all the possible actions that were taken when risks were detected. The possible actions are Cleaned, Suspicious, Blocked, Quarantined, Deleted, Pending Repair, Logged Commercial or Forced detections, Newly Infected, and Still Infected. This information also appears on the Symantec Endpoint Protection Home page.
Risk Detections Count
This report consists of a pie chart, a risk table, and an associated relative bar. It shows the number of risk detections by domain, server, or computer. If you have legacy Symantec AntiVirus clients, the report uses the server group rather than the domain.
New Risks Detected in the Network
This report consists of a table and a distribution pie chart. For each new risk, the table provides the following information:
  • Risk name
  • Risk category or type
  • First discovered data
  • First occurrence in the organization
  • Scan type that first detected it
  • Domain where it was discovered (server group on legacy computers)
  • Server where it was discovered (parent server on legacy computers)
  • Group where it was discovered (parent server on legacy computers)
  • The computer where it was discovered and the name of the user that was logged on at the time
The pie chart shows new risk distribution by the target selection type: domain (server group on legacy computers), group, server (parent server on legacy computers), computer, or user name.
Top Risk Detection Correlation
This report consists of a three-dimensional bar graph that correlates virus and security risk detections by using two variables. You can select from computer, user name, domain, group, server, or risk name for the x and y axis variables. This report shows the top five instances for each axis variable. If you selected computer as one of the variables and there are fewer than five infected computers, non-infected computers may appear in the graph.
For computers running legacy versions of Symantec AntiVirus, the server group and parent server are used instead of domain and server.
Download Risk Distribution
This report displays the number of files detected by Download Insight and groups them by sensitivity level. Detailed reports are given to files that have been found. You can also group files by URL, web domain, application, and user-allowed before running the report.
Risk Distribution Summary
This report consists of a pie chart and an associated bar graph that displays a relative percentage for each unique item from the chosen target type. For example, if the chosen target is risk name, the pie chart displays slices for each unique risk. A bar is shown for each risk name and the details include the number of detections and its percentage of the total detections.
Risk Distribution Over Time
This report consists of a table that displays the number of virus and security risk detections per unit of time and a relative bar.
Risk Distribution by Protection Technology
This report displays the number of virus and security risk detections per protection technology.
SONAR Detection Results
This report consists of a pie chart and bar graphs that display the following information:
  • A list of the applications that are labeled as risks that you have added to your exceptions as permitted in your network
  • A list of the applications that have been detected that are confirmed risks
  • A list of the applications that have been detected but whose status as a risk is still unconfirmed
For each list, this report displays the company name, the application hash and the version, and the computer involved. For the permitted applications, it also displays the source of the permission.
SONAR Threat Distribution
Displays the top application names that have been detected with relative bars and a summary table. The detections include applications on the Commercial Applications List and Forced Detections lists. The first summary table contains the application name and the number and percentage of detections.
SONAR Threat Detection Over Time
This report consists of a line chart that displays the number of proactive threat detections for the time period selected. It also contains a table with relative bars that lists the total numbers of the threats that were detected over time.
Action Summary for Top Risks
This report lists the top risks that have been found in your network. For each, it displays action summary bars that show the percentage of each action that was taken when a risk was detected. Actions include quarantined, cleaned, deleted, and so on. This report also shows the percentage of time that each particular action was the first configured action, the second configured action, neither, or unknown.
Number of Notifications
This report consists of a pie chart with an associated relative bar. The charts show the number of notifications that were triggered by the firewall rule violations that you have configured as important to be notified about. It includes the type of notifications and the number of each.
Number of Notifications Over Time
This report consists of a line chart that displays the number of notifications in the network for the time period selected. It also contains a table that lists the number of notifications and percentage over time. You can filter the data to display by the type of notification, acknowledgment status, creator, and notification name.
Weekly Outbreaks
This report displays the number of virus and security risk detections and a relative bar per week for each for the specified time range. A range of one day displays the past week.
Comprehensive Risk Report
This report, by default, includes all of the distribution reports and the new risks report. However, you can configure it to include only certain reports. This report includes the information for all domains.
Symantec Endpoint Protection Daily Status
This report contains virus detection, intervention and definition status for network events over the previous 24 hours.
Symantec Endpoint Protection Weekly Status
This report contains licensing status and virus detection statistics for endpoint computers over the previous week. Data reflects cumulative values unless otherwise noted.
Scan reports
Report name
Description
Scan Statistics Histogram
This report consists of a histogram where you can select how you want the following information in the scan to be distributed:
  • By the scan time (in seconds)
  • By the number of risks detected
  • By the number of files with detections
  • By the number of files that are scanned
  • By the number of files that are omitted from scans
You can also configure the bin width and how many bins are used in the histogram. The bin width is the data interval that is used for the group by selection. The number of bins specifies how many times the data interval is repeated in the histogram.
The information that displays includes the number of entries and the minimum and the maximum values, as well as the average and the standard deviation.
You might want to change the report values to maximize the information that is generated in the report's histogram. For example, you might want to consider the size of your network and the amount of information that you view.
Computers by Last Scan Time
This report shows a list of computers in your security network by the last time scanned. It also includes the IP address and the name of the user that was logged in at the time of the scan.
Computers Not Scanned
This report shows a list of computers in your security network that have not been scanned and provides the following formation:
  • The IP address
  • The time of the last scan
  • The name of the current user or the user that was logged on at the time of the last scan
System reports
Report name
Description
Top Clients that Generate Errors
This report consists of a pie chart for each warning condition and error condition. The charts show the relative error count and relative warning count and percentage, by client.
Top Servers that Generate Errors
This report consists of a pie chart for each warning condition and error condition. The chart shows the relative error count and relative warning count and percentage, by server.
Database Replication Failures Over Time
This report consists of a line chart with an associated table that lists the replication failures for the time range selected.
Site Status Report
This report shows a real-time summary of the health status of all sites and information on all servers on the local site.
WSS Integration Token Usage
This report summarizes the usage of the integration token for client authentication with
Web and Cloud Access Protection
.