Different report types are available for each endpoint type:
Computer, virtual machine and container reports
These are the available report types for physical and virtual machines:
Antiphishing Activity
Informs you about the activity of the Antiphishing module of Bitdefender Endpoint Security Tools. You can view the number of blocked phishing websites on the selected endpoints and the user that was logged in at the time of the last detection. By clicking the links from the Blocked Websites column, you can also view the website URLs, how many times they were blocked and when was the last block event.
The report also includes a classification of the detection events and affected endpoints as follows:
Top 10 domains blocked on endpoints, which details the most frequently detected domains (available only in PDF format).
Top 10 affected endpoints, which informs you about the endpoints that have the most Antiphishing detections (available only in PDF format).
Affected endpoints, which presents the total number of endpoints with at least one detection.
Total detections, which provides the total number of phishing detections on all endpoints.
Blocked Applications
Informs you about the activity of the following modules: Antimalware, Firewall, Content Control, Advanced Anti-Exploit and ATC/IDS. You can see the number of blocked applications on the selected endpoints and the user that was logged in at the time of the last detection.
Click the number associated with a target to view additional information on the blocked applications, the number of events occurred, and the date and time of the last block event.
In this report, you can quickly instruct the protection modules to allow the selected application to run on the target endpoint:
Click the Add Exception button to define exceptions in the following modules: Antimalware, ATC, Content Control and Firewall. A confirmation window will show up, informing you of the new rule that will modify the existing policy for that specific endpoint.
Blocked Websites
Informs you about the activity of the Web Control module of Bitdefender Endpoint Security Tools. For each target, you can view the number of blocked websites. By clicking this number, you can view additional information, such as:
Website URL and category
Number of access attempts per website
Date and time of the last attempt, as well as the user that was logged in at the time of the detection.
Reason for blocking, which includes scheduled access, malware detection, category filtering and blacklisting.
Customer Status Overview
Helps you find out protection issues within your customer companies. A company has issues whether malware is detected, the antimalware is outdated or the license has expired. The company name is a link to a new window, where you can find company details.
Data Protection
Informs you about the activity of the Data Protection module of Bitdefender Endpoint Security Tools. You can see the number of blocked emails and websites on the selected endpoints, as well as the user that was logged in at the time of the last detection.
Device Control Activity
Informs you about the events occurred when accessing the endpoints through the monitored devices. For each target endpoint, you can view the number of allowed/blocked access and read-only events. If events occurred, additional information is available by clicking the corresponding numbers. Details refer to:
User logged on the machine
Device type and ID
Device vendor and product ID
Date and time of the event.
Endpoint Encryption Status
Provides you with data regarding the encryption status on the endpoints. A pie chart displays the number of machines compliant, respectively non-compliant with the encryption policy settings.
A table below the pie chart delivers details such as:
Endpoint name.
Fully Qualified Domain Name (FQDN).
Machine IP.
Operating system.
Device policy compliance:
Compliant – when the volumes are all encrypted or unencrypted according to the policy.
Non-compliant – when the status of the volumes is not consistent with the assigned policy (for example, only one of two volumes is encrypted or an encryption process is in progress on that volume).
Device policy (Encrypt or Decrypt).
Click the numbers in the Volumes Summary column to view information about each endpoint’s volumes: ID, name, encryption status (Encrypted or Unencrypted), issues, type (Boot or Non-boot), size, Recovery Key ID.
Company name.
Endpoint Modules Status
Provides an overview of the protection modules coverage over the selected targets. In the report details, for each target endpoint, you can view which modules are active, disabled or not installed, and also the scanning engine in use. Clicking the endpoint name will show up the Information window with details about the endpoint and installed protection layers.
By clicking the Reconfigure Client button, you can start a task to change the initial settings of one or several selected endpoints. For details, refer toReconfigure client.
Endpoint Protection Status
Provides you with various status information concerning selected endpoints from your network.
Antimalware protection status
Bitdefender Endpoint Security Tools update status
Network activity status (online/offline)
Management status
You can apply filters by security aspect and status to find the information you are looking for.
Executive Summary
The report presents the Executive Summary widgets along with the available data for the selected interval and company. You can also view important information about the network inventory and detection events such as:
Threats details
Provides the detection events available on the Executive Summary page. You can find details about the category of the detected item, threat type and name, action taken, the module that generated the detection, and many others.
Inventory details
Includes details like the endpoint name and type, the corresponding IP address, operating system, assigned policy, and others.
Note
The report does not include events from the Policy rule-based detections widget.
Firewall Activity
Informs you about the activity of the Firewall module of Bitdefender Endpoint Security Tools. You can see the number of blocked traffic attempts and blocked port scans on the selected endpoints, as well as the user that was logged in at the time of the last detection.
HyperDetect Activity
Informs you about the activity of the HyperDetect module of Bitdefender Endpoint Security Tools.
The chart in the upper side of the report page shows you the dynamics of the attack attempts over the specified period of time and their distribution by type of attack. Moving the mouse over the legend entries will highlight the associated attack type in the chart. Clicking the entry will show or hide the respective line in the chart. Clicking any point on a line will filter your table data according to the selected type. For example, if you click any point on the orange line, the table will display only exploits.
The details in the lower part of the report help you identify the breaches in your network and if they were addressed. They refer to:
The path to the malicious file, or the detected URL, in the case of infected files. For file-less attacks, it is provided with the name of the executable used in the attack, with a link to a details window which displays the detection reason and the malicious command line string.
The endpoint on which the detection was made
The protection module which detected the threat. As HyperDetect is an additional layer of the Antimalware and Content Control modules, the report will provide information about one of these two modules, depending on the type of detection.
The type of the intended attack (targeted attack, grayware, exploits, ransomware, suspicious files and network traffic)
The threat status
The module protection level at which the threat was detected (Permissive, Normal, Aggressive)
Number of times the threat was detected
Most recent detection
Identification as a file-less attack (yes or no), to quickly filter the file-less attacks detections
The exact name of the detected threat
The file hash
Note
A file may be used in more types of attacks. Therefore, GravityZone reports it for each type of attack it was involved in.
From this report, you can quickly resolve false positives, by adding exceptions in the assigned security policies. To do so:
Select as many entries in the table as you need.
Note
File-less attack detections cannot be added to the exceptions list, due to the fact that the detected executable is not malware itself, but can be a threat when using a maliciously encoded command line.
Click the Add exception button at the upper side of the table.
In the configuration window, select the policies to which the exception should be added and then click Add.
By default, related information for each added exception is sent to Bitdefender Labs, to help to improve the detection capabilities of Bitdefender products. You can control this action using the Submit this feedback to Bitdefender for a better analysis checkbox.
If the threat was detected by the Antimalware module, the exception will apply to both On-access and On-demand scanning modes.
Note
You can find these exceptions in the following sections of the selected policies: Antimalware > Settings for files, and Content Control > Traffic for URLs.
License Status
Informs you of the Bitdefender protection coverage in your network. You are provided with details regarding the licenses type, usage and lifetime for the selected companies.
By clicking the number in the Usage column, which corresponds to a company with a monthly license, you can also view usage details, such as the total number of license seats and the number of the remaining seats available for installation.
Malware Status
Helps you find out how many and which of the selected endpoints have been affected by malware over a specific time period and how the threats have been dealt with. You can also see the user that was logged in at the time of the last detection.
Endpoints are grouped based on these criteria:
Endpoints with no detections (no malware threat has been detected over the specified time period)
Endpoints with resolved malware (all detected files have been successfully disinfected or moved to quarantine.
Endpoints with unresolved malware (some of the detected files have been denied access to)
For each endpoint, by clicking the links available in the disinfection result columns, you can view the list of threats and paths to the affected files.
In this report, you can quickly run a Full Scan task on the unresolved targets, by clicking the Scan infected targets button from the Action Toolbar above the data table.
Monthly License Usage
Provides detailed information about the license usage in each month, over a specified time period and for the selected companies that use monthly subscription. To view the hierarchy of a child company, click the plus sign in front of the company name. If needed, you can easily adjust license details by clicking the company name.
Informs you about the license usage in each month, over a specified time period. This report is useful if you have a monthly license subscription.
You can view additional information on the licensed endpoints, such as hardware ID or IP address, by clicking the numbers in License Usage column.
OS type (workstation or server).
Endpoint type (physical or virtual).
Uptime (in seconds) – how much time the endpoint has been protected. Sleep and hibernation modes are not taken into account.
If Central Scan (with Security Server) has been used at least once during the past month.
Also, click the numbers in the Encryption Usage column to view how many endpoints have the Encryption module installed.
Email Security – Monthly License Usage
This report provides license usage for the Email Security service. All report intervals retrieve license usage information until the end of the previous day. For example, you generate a report on Monday, at 12 pm and set the interval to This month. The report will provide license usage information until the end of Sunday.
Network Incidents
Informs you about the activity of the Network Attack Defense module. A graph displays the number of the attack attempts detected over a specified interval. The report details include:
Endpoint name, IP and FQDN
Username
Detection name
Attack technique
Number of attempts
Attacker’s IP
Targeted IP and port
When the attack was blocked most recently
Clicking the Add exceptions button for a selected detection automatically creates an entry in Global Exclusions from the Network Protection section.
Network Patch Status
Check the update status of the software that is installed in your network. The report reveals the following details:
Target machine (endpoint name, IP and operating system).
Security patches (installed patches, failed patches, missing security and non-security patches).
Status and last modified time for checked-out endpoints.
Network Protection Status
Provides detailed information on the overall security status of the target endpoints. For example, you can view information about:
Available protection layers
Managed and unmanaged endpoints
License type and status (additional license related columns are hidden by default)
Infection status
Update status of the product and security content
Software security patch status (missing security or non-security patches)
Users who logged into the computer
For unmanaged endpoints, you will view the Unmanaged status under other columns.
On-demand Scanning
Provides information regarding on-demand scans performed on the selected targets. A pie chart displays the statistics of successful and failed scans. The table below the chart provides details regarding the scan type, occurrence and last successful scan for each endpoint.
Policy Compliance
Provides information regarding the security policies applied on the selected targets. A pie chart displays the status of the policy. In the table below the chart, you can see the assigned policy on each endpoint and the policy type, as well as the date and the user that assigned it.
Sandbox Analyzer Failed Submissions
Displays all failed submissions of objects sent from the endpoints to Sandbox Analyzer over a specified time period. A submission is considered failed after several retry attempts.
The graphic shows the variation of the failed submissions during the selected period, while in the report details table you can view which files could not be sent to Sandbox Analyzer, the machine where the object was sent from, date and time for each retry, the error code returned, description of each failed retry and the company name.
Sandbox Analyzer Results (Deprecated)
Provides you with detailed information related to the files on target endpoints, which were analyzed in the sandbox over a specified time period. A line chart displays the number of the clean or dangerous analyzed files, while the table presents you with details on each case.
You are able generate a Sandbox Analyzer Results report for all analyzed files or only for those detected as malicious.
You can view:
Analysis verdict, saying whether the file is clean, dangerous or unknown (Threat detected / No threat detected / Unsupported). This column shows up only when you select the report to display all analyzed objects.
To view the complete list with file types and extensions supported by Sandbox Analyzer, refer to Supported File Types and Extensions for Manual Submission .
Threat type, such as adware, rootkit, downloader, exploit, host-modifier, malicious tools, password stealer, ramsomware, spam or Trojan.
Date and time of the detection, which you can filter depending on the reporting period.
Hostname or IP of the endpoint where the file was detected.
Name of the files, if they were submitted individually, or number of analyzed files in case of a bundle. Click the file name or bundle link to view details and actions taken.
Remediation action status for the submitted files (Partial, Failed, Reported Only, Successful).
Company name.
More information about the properties of the analyzed file is available by clicking the
Read more button in the Analysis Result column. Here you can view security insights and detailed reporting on the sample behavior.
Sandbox Analyzer captures the following behavioral events:
Writing / deleting / moving / duplicating / replacing files on the system and on removable drives.
Execution of newly-created files.
Changes to the file system.
Changes to the applications running inside the virtual machine.
Changes to the Windows taskbar and Start menu.
Creating / terminating / injecting processes.
Writing / deleting registry keys.
Creating mutex objects.
Creating / starting / stopping / modifying / querying / deleting services.
Changing browser security settings.
Changing Windows Explorer display settings.
Adding files to firewall exception list.
Changing network settings.
Enabling execution at system startup.
Connecting to a remote host.
Accessing certain domains.
Transferring data to and from certain domains.
Accessing URLs, IPs and ports through various communication protocols.
Checking the indicators of virtual environment.
Checking the indicators of monitoring tools.
Creating snapshots.
SSDT, IDT, IRP hooks.
Memory dumps for suspicious processes.
Windows API functions calls.
Becoming inactive for a certain time period to delay execution.
Creating files with actions to be executed at certain time intervals.
In the Analysis Result window, click the Download button to save to your computer the Behavior Summary content in the following formats: XML, HTML, JSON, PDF.
This report will continue to be supported for a limited amount of time. It is recommended for you to use instead submission cards to gather the necessary information on analyzed samples. The submission cards are available in the Sandbox Analyzer section, in the main menu of Control Center.
Security Audit
Provides information about the security events that occurred on a selected target. The information refers to the following events:
Malware detection
Blocked application
Blocked scan port
Blocked traffic
Blocked website
Blocked device
Blocked email
Blocked process
Advanced Anti-Exploit events
Network Attack Defense events
To simplify the analysis of Antimalware detections the report classifies them along with the affected endpoints based on different criteria as follows:
Top 10 malware by number of endpoints, details the most frequent Antimalware detections (available only in PDF format).
Top 10 endpoints by number of Antimalware detections, which informs you about the endpoints that have the most Antimalware detection (available only in PDF format).
Endpoints, which presents the total number of endpoints with at least one Antimalware detection.
Detections, which provides the total number of Antimalware detections on all endpoints.
Security Server Status
Helps you evaluate the status of the target Security Servers. You can identify the issues each Security Server might have, with the help of various status indicators, such as:
Status: shows the overall Security Server status.
Machine status: informs which Security Server appliances are stopped.
AV status: points out whether the Antimalware module is enabled or disabled.
Update status: shows if the Security Server appliances are updated or whether the updates have been disabled.
Load status: indicates the scan load level of a Security Server as described herein:
Underloaded, when less than 5% of its scanning capacity is used.
Normal, when the scan load is balanced.
Overloaded, when the scan load exceeds 90% of its capacity. In such case, check the security policies. If all Security Servers allocated within a policy are overloaded, you need to add another Security Server to the list. Otherwise, check the network connection between the clients and Security Servers without load issues.
HVI protected VMs: informs you of the virtual machines that are monitored and protected by HVI module.
You can also view how many agents are connected to the Security Server. Further on, clicking the number of connected clients will display the list of endpoints. These endpoints may be vulnerable if the Security Server has issues.
Security Container Status
Helps you evaluate the status of the target Security Container. You can identify the issues each Security Server might have, with the help of various status indicators, such as:
Security Container Name: the name of the container
IP: the IP address of the container
Container Host: displays the host managing this specific container
Status: shows the overall container status
Last Security Content Update: date at which the container was last updated
Security Content Update Status: shows if the security content is up to date or whether the updates have been disabled.
Product Update Status: shows if the product version is up to date or whether the updates have been disabled.
Current Product Version: product version currently installed on the container.
Last Product Update: date at which the security container was deployed.
Note
To update a security container you need to redeploy it with the new product version.
Latest Product Version: latest product version available.
Top 10 Detected Malware
Shows you the top 10 malware threats detected over a specific time period on selected endpoints.
Note
The details table displays all endpoints which were infected by the top 10 detected malware.
Top 10 Infected Companies
Shows you the top 10 most infected companies, based on your selection, by the number of total detections over a specific time period.
Top 10 Infected Endpoints
Shows you the top 10 most infected endpoints by the number of total detections over a specific time period out of the selected endpoints.
Note
The details table displays all malware detected on the top 10 infected endpoints.
Update Status
Using the available filters, you can easily find out which clients have updated and which have not in the last 24 hours.
In this report, you can quickly bring the agents to the latest version. To do this, click the Update button from the Action Toolbar above the data table.
Upgrade Status
Shows you the security agents installed on the selected targets and whether a more recent solution is available.
For endpoints with old security agents installed, you can quickly install the latest supported security agent by clicking the Upgrade button. This operation is possible only if all targets are from the same company.
Note
This report is available only when a GravityZone solution upgrade has been made.
Exchange Server reports
These are the available report types for Exchange Servers:
Exchange – Blocked Content and Attachments
Provides you with information about emails or attachments that Content Control deleted from the selected servers over a specific time interval. The information includes:
Email addresses of the sender and of the recipients.
When the email has more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.
Email subject.
Detection type, indicating which Content Control filter detected the threat.
The action taken on the detection.
The server where the threat was detected.
The company that owns the mail server.
Exchange – Blocked Unscannable Attachments
Provides you with information about emails containing unscannable attachments (over-compressed, password-protected, etc.), blocked on the selected Exchange mail servers over a specific time period. The information refers to:
Email addresses of the sender and of the recipients.
When the email is sent to more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.
Email subject.
The actions taken to remove the unscannable attachments:
Deleted Email, indicating that the entire email has been removed.
Deleted Attachments, a generic name for all actions that remove attachments from the email message, such as deleting the attachment, moving to quarantine or replacing it with a notice.
By clicking the link in the Action column, you can view details about each blocked attachment and the corresponding action taken.
Detection date and time.
The server where the email was detected.
The company that owns the mail server.
Exchange – Email Scan Activity
Shows statistics on the actions taken by the Exchange Protection module over a specific time interval.
The actions are grouped by detection type (malware, spam, forbidden attachment and forbidden content) and by server.
The statistics refer to the following email statuses:
Quarantined. These emails were moved to the Quarantine folder.
Deleted/Rejected. These emails were deleted or rejected by the server.
Redirected. These emails were redirected to the email address supplied in the policy.
Cleaned and delivered. These emails had the threats removed and passed through the filters.
An email is considered cleaned when all detected attachments have been disinfected, quarantined, deleted or replaced with text.
Modified and delivered. Scan information was added to the emails headers and the emails passed through the filters.
Delivered without any other action. These emails were ignored by Exchange Protection and passed through the filters.
Exchange – Malware Activity
Provides you with information about emails with malware threats, detected on the selected Exchange mail servers over a specific time period. The information refers to:
Email addresses of the sender and of the recipients.
When the email is sent to more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.
Email subject.
Email status after antimalware scan.
By clicking the status link, you can view details about the detected malware and the action taken.
Detection date and time.
The server where the threat was detected.
The company that owns the mail server.
Exchange – Monthly License Usage
Provides detailed information regarding the Security for Exchange license usage for your managed companies over a specific time period.
The table below the graphic provides details regarding the company name, license keys, month and number of protected mailboxes belonging to each of your managed companies.
The license usage number for a company links to a new window, where you can find detailed usage information, such as domains licensed on that company and the belonging mailboxes.
Exchange – Top 10 Detected Malware
Informs you about the top 10 most detected malware threats in email attachments. You can generate two views containing different statistics. One view shows the number of detections by affected recipients and one by senders.
For example, GravityZone has detected one email with an infected attachment sent to five recipients.
In the recipients view:
The report shows five detections.
The report details shows only the recipients, not the senders.
In the senders view:
The report shows one detection.
The report details shows only the sender, not the recipients.
Besides the sender/recipients and the malware name, the report provides you with the following details:
The malware type (virus, spyware, PUA, etc.)
The server where the threat was detected.
Measures that the antimalware module has taken.
Date and time of the last detection.
Exchange – Top 10 Malware Recipients
Shows you the top 10 email recipients most targeted by malware over a specific time interval.
The report details provide you with the entire malware list that affected these recipients, together with the actions taken.
Exchange – Top 10 Spam Recipients
Shows you the top 10 email recipients by the number of spam or phishing emails detected over a specific time interval. The report provides information also on the actions applied to the respective emails.