Skip to main content

ON PREMISES SOLUTIONS

Report types

Different report types are available for each endpoint type:

Computer, virtual machine and container reports

These are the available report types for physical and virtual machines:

  • Antiphishing Activity

    Informs you about the activity of the Antiphishing module of Bitdefender Endpoint Security Tools. You can view the number of blocked phishing websites on the selected endpoints and the user that was logged in at the time of the last detection. By clicking the links from the Blocked Websites column, you can also view the website URLs, how many times they were blocked and when was the last block event.

    The report also includes a classification of the detection events and affected endpoints as follows:

    • Top 10 domains blocked on endpoints, which details the most frequently detected domains (available only in PDF format).

    • Top 10 affected endpoints, which informs you about the endpoints that have the most Antiphishing detections (available only in PDF format).

    • Affected endpoints, which presents the total number of endpoints with at least one detection.

    • Total detections, which provides the total number of phishing detections on all endpoints.

  • Blocked Applications

    Informs you about the activity of the following modules: Antimalware, Firewall, Content Control, Application Control, Advanced Anti-Exploit and ATC/IDS. You can see the number of blocked applications on the selected endpoints and the user that was logged in at the time of the last detection.

    Click the number associated with a target to view additional information on the blocked applications, the number of events occurred, and the date and time of the last block event.

    In this report, you can quickly instruct the protection modules to allow the selected application to run on the target endpoint:

    Click the Add Exception button to define exceptions in the following modules: Antimalware, ATC, Content Control and Firewall. A confirmation window will show up, informing you of the new rule that will modify the existing policy for that specific endpoint.

    • Click the Add Exception button to define exceptions in the following modules: Antimalware, ATC, Content Control and Firewall. A confirmation window will show up, informing you of the new rule that will modify the existing policy for that specific endpoint.

    • Click the Add Rule button to define a rule for an application or a process in Application Control. In the configuration window, apply the rule to an existing policy. A message will inform you of the new rule that will modify the policy assigned to that specific endpoint. The report also displays the number of access attempts and if the module running in Test Mode or in Production Mode.

  • Blocked Websites

    Informs you about the activity of the Web Control module of Bitdefender Endpoint Security Tools. For each target, you can view the number of blocked websites. By clicking this number, you can view additional information, such as:

    • Website URL and category

    • Number of access attempts per website

    • Date and time of the last attempt, as well as the user that was logged in at the time of the detection.

    • Reason for blocking, which includes scheduled access, malware detection, category filtering and blacklisting.

  • Customer Status Overview

    Helps you find out protection issues within your customer companies. A company has issues whether malware is detected, the Antimalware is outdated or the license has expired. The company name is a link to a new window, where you can find company details.

  • Data Protection

    Informs you about the activity of the Data Protection module of Bitdefender Endpoint Security Tools. You can see the number of blocked emails and websites on the selected endpoints, as well as the user that was logged in at the time of the last detection.

  • Device Control Activity

    Informs you about the events occurred when accessing the endpoints through the monitored devices. For each target endpoint, you can view the number of allowed/blocked access and read-only events. If events occurred, additional information is available by clicking the corresponding numbers. Details refer to:

    • User logged on the machine

    • Device type and ID

    • Device vendor and product ID

    • Date and time of the event.

  • Endpoint Encryption Status

    Provides you with data regarding the encryption status on the endpoints. A pie chart displays the number of machines compliant, respectively non-compliant with the encryption policy settings.

    A table below the pie chart delivers details such as:

    • Endpoint name.

    • Fully Qualified Domain Name (FQDN).

    • Machine IP.

    • Operating system.

    • Device policy compliance:

      • Compliant – when the volumes are all encrypted or unencrypted according to the policy.

      • Non-compliant – when the status of the volumes is not consistent with the assigned policy (for example, only one of two volumes is encrypted or an encryption process is in progress on that volume).

    • Device policy (Encrypt or Decrypt).

    • Click the numbers in the Volumes Summary column to view information about each endpoint’s volumes: ID, name, encryption status (Encrypted or Unencrypted), issues, type (Boot or Non-boot), size, Recovery Key ID.

  • Endpoint Modules Status

    Provides an overview of the protection modules coverage over the selected targets. In the report details, for each target endpoint, you can view which modules are active, disabled or not installed, and also the scanning engine in use. Clicking the endpoint name will show up the Information window with details about the endpoint and installed protection layers.

    By clicking the Reconfigure Client button, you can start a task to change the initial settings of one or several selected endpoints. For details, refer toReconfigure client.

  • Endpoint Protection Status

    Provides you with various status information concerning selected endpoints from your network.

    • Antimalware protection status

    • Bitdefender Endpoint Security Tools update status

    • Network activity status (online/offline)

    • Management status

    You can apply filters by security aspect and status to find the information you are looking for.

  • Firewall Activity

    Informs you about the activity of the Firewall module of Bitdefender Endpoint Security Tools. You can see the number of blocked traffic attempts and blocked port scans on the selected endpoints, as well as the user that was logged in at the time of the last detection.

  • HyperDetect Activity

    Informs you about the activity of the HyperDetect module of Bitdefender Endpoint Security Tools.

    The chart in the upper side of the report page shows you the dynamics of the attack attempts over the specified period of time and their distribution by type of attack. Moving the mouse over the legend entries will highlight the associated attack type in the chart. Clicking the entry will show or hide the respective line in the chart. Clicking any point on a line will filter your table data according to the selected type. For example, if you click any point on the orange line, the table will display only exploits.

    The details in the lower part of the report help you identify the breaches in your network and if they were addressed. They refer to:

    • The path to the malicious file, or the detected URL, in the case of infected files. For file-less attacks, it is provided with the name of the executable used in the attack, with a link to a details window which displays the detection reason and the malicious command line string.

    • The endpoint on which the detection was made

    • The protection module which detected the threat. As HyperDetect is an additional layer of the Antimalware and Content Control modules, the report will provide information about one of these two modules, depending on the type of detection.

    • The type of the intended attack (targeted attack, grayware, exploits, ransomware, suspicious files and network traffic)

    • The threat status

    • The module protection level at which the threat was detected (Permissive, Normal, Aggressive)

    • Number of times the threat was detected

    • Most recent detection

    • Identification as a file-less attack (yes or no), to quickly filter the file-less attacks detections

    • The exact name of the detected threat

    • The file hash

    Note

    A file may be used in more types of attacks. Therefore, GravityZone reports it for each type of attack it was involved in.

    From this report, you can quickly resolve false positives, by adding exceptions in the assigned security policies. To do so:

    1. Select as many entries in the table as you need.

      Note

      File-less attack detections cannot be added to the exceptions list, due to the fact that the detected executable is not malware itself, but can be a threat when using a maliciously encoded command line.

    2. Click the Add exception button at the upper side of the table.

    3. In the configuration window, select the policies to which the exception should be added and then click Add.

      By default, related information for each added exception is sent to Bitdefender Labs, to help to improve the detection capabilities of Bitdefender products. You can control this action using the Submit this feedback to Bitdefender for a better analysis checkbox.

    If the threat was detected by the Antimalware module, the exception will apply to both On-access and On-demand scanning modes.

    Note

    You can find these exceptions in the following sections of the selected policies: Antimalware > Settings for files, and Content Control > Traffic for URLs.

  • Malware Status

    Helps you find out how many and which of the selected endpoints have been affected by malware over a specific time period and how the threats have been dealt with. You can also see the user that was logged in at the time of the last detection.

    Endpoints are grouped based on these criteria:

    • Endpoints with no detections (no malware threat has been detected over the specified time period)

    • Endpoints with resolved malware (all detected files have been successfully disinfected or moved to quarantine.

    • Endpoints with unresolved malware (some of the detected files have been denied access to)

    For each endpoint, by clicking the links available in the disinfection result columns, you can view the list of threats and paths to the affected files.

    In this report, you can quickly run a Full Scan task on the unresolved targets, by clicking the Scan infected targets button from the Action Toolbar above the data table.

  • Network Incidents

    Informs you about the activity of the Network Attack Defense module. A graph displays the number of the attack attempts detected over a specified interval. The report details include:

    • Endpoint name, IP and FQDN

    • Username

    • Detection name

    • Attack technique

    • Number of attempts

    • Attacker’s IP

    • Targeted IP and port

    • When the attack was blocked most recently

    Clicking the Add exceptions button for a selected detection automatically creates an entry in Global Exclusions from the Network Protection section.

  • Network Patch Status

    Check the update status of the software that is installed in your network. The report reveals the following details:

    • Target machine (endpoint name, IP and operating system).

    • Security patches (installed patches, failed patches, missing security and non-security patches).

    • Status and last modified time for checked-out endpoints.

  • Network Protection Status

    Provides detailed information on the overall security status of the target endpoints. For example, you can view information about:

    • Available protection layers

    • Managed and unmanaged endpoints

    • License type and status (additional license related columns are hidden by default)

    • Infection status

    • Update status of the product and security content

    • Software security patch status (missing security or non-security patches)

    • Users who logged into the computer

    For unmanaged endpoints, you will view the Unmanaged status under other columns.

  • On-demand Scanning

    Provides information regarding on-demand scans performed on the selected targets. A pie chart displays the statistics of successful and failed scans. The table below the chart provides details regarding the scan type, occurrence and last successful scan for each endpoint.

  • Policy Compliance

    Provides information regarding the security policies applied on the selected targets. A pie chart displays the status of the policy. In the table below the chart, you can see the assigned policy on each endpoint and the policy type, as well as the date and the user that assigned it.

  • Sandbox Analyzer Failed Submissions

    Displays all failed submissions of objects sent from the endpoints to Sandbox Analyzer over a specified time period. A submission is considered failed after several retry attempts.

    The graphic shows the variation of the failed submissions during the selected period, while in the report details table you can view which files could not be sent to Sandbox Analyzer, the machine where the object was sent from, date and time for each retry, the error code returned, description of each failed retry and the company name.

  • Sandbox Analyzer Results

    Provides you with detailed information related to the files on target endpoints, which were analyzed in the sandbox over a specified time period. A line chart displays the number of the clean or dangerous analyzed files, while the table presents you with details on each case.

    You are able generate a Sandbox Analyzer Results report for all analyzed files or only for those detected as malicious.

    You can view:

    • Analysis verdict, saying whether the file is clean, dangerous or unknown (Threat detected / No threat detected / Unsupported). This column shows up only when you select the report to display all analyzed objects.

      To view the complete list with file types and extensions supported by Sandbox Analyzer, refer to Supported File Types and Extensions for Manual Submission .

    • Threat type, such as adware, rootkit, downloader, exploit, host-modifier, malicious tools, password stealer, ramsomware, spam or Trojan.

    • Date and time of the detection, which you can filter depending on the reporting period.

    • Hostname or IP of the endpoint where the file was detected.

    • Name of the files, if they were submitted individually, or number of analyzed files in case of a bundle. Click the file name or bundle link to view details and actions taken.

    • Remediation action status for the submitted files (Partial, Failed, Reported Only, Successful).

    • Company name.

    • More information about the properties of the analyzed file is available by clicking the read_details.pngRead more button in the Analysis Result column. Here you can view security insights and detailed reporting on the sample behavior.

    Sandbox Analyzer captures the following behavioral events:

    • Writing / deleting / moving / duplicating / replacing files on the system and on removable drives.

    • Execution of newly-created files.

    • Changes to the file system.

    • Changes to the applications running inside the virtual machine.

    • Changes to the Windows taskbar and Start menu.

    • Creating / terminating / injecting processes.

    • Writing / deleting registry keys.

    • Creating mutex objects.

    • Creating / starting / stopping / modifying / querying / deleting services.

    • Changing browser security settings.

    • Changing Windows Explorer display settings.

    • Adding files to firewall exception list.

    • Changing network settings.

    • Enabling execution at system startup.

    • Connecting to a remote host.

    • Accessing certain domains.

    • Transferring data to and from certain domains.

    • Accessing URLs, IPs and ports through various communication protocols.

    • Checking the indicators of virtual environment.

    • Checking the indicators of monitoring tools.

    • Creating snapshots.

    • SSDT, IDT, IRP hooks.

    • Memory dumps for suspicious processes.

    • Windows API functions calls.

    • Becoming inactive for a certain time period to delay execution.

    • Creating files with actions to be executed at certain time intervals.

    In the Analysis Result window, click the Download button to save to your computer the Behavior Summary content in the following formats: XML, HTML, JSON, PDF.

    This report will continue to be supported for a limited amount of time. It is recommended for you to use instead submission cards to gather the necessary information on analyzed samples. The submission cards are available in the Sandbox Analyzer section, in the main menu of Control Center.

  • Security Audit

    Provides information about the security events that occurred on a selected target. The information refers to the following events:

    • Malware detection

    • Blocked application

    • Blocked scan port

    • Blocked traffic

    • Blocked website

    • Blocked device

    • Blocked email

    • Blocked process

    • Advanced Anti-Exploit events

    • Network Attack Defense events

    To simplify the analysis of Antimalware detections the report classifies them along with the affected endpoints based on different criteria as follows:

    • Top 10 malware by number of endpoints, details the most frequent Antimalware detections (available only in PDF format).

    • Top 10 endpoints by number of Antimalware detections, which informs you about the endpoints that have the most Antimalware detection (available only in PDF format).

    • Endpoints, which presents the total number of endpoints with at least one Antimalware detection.

    • Detections, which provides the total number of Antimalware detections on all endpoints.

  • Security Server Status

    Helps you evaluate the status of the target Security Servers. You can identify the issues each Security Server might have, with the help of various status indicators, such as:

    • Status: shows the overall Security Server status.

    • Machine status: informs which Security Server appliances are stopped.

    • AV status: points out whether the Antimalware module is enabled or disabled.

    • Update status: shows if the Security Server appliances are updated or whether the updates have been disabled.

    • Load status: indicates the scan load level of a Security Server as described herein:

      • Underloaded, when less than 5% of its scanning capacity is used.

      • Normal, when the scan load is balanced.

      • Overloaded, when the scan load exceeds 90% of its capacity. In such case, check the security policies. If all Security Servers allocated within a policy are overloaded, you need to add another Security Server to the list. Otherwise, check the network connection between the clients and Security Servers without load issues.

    • Connected Storage Devices: informs how many ICAP-compliant storage devices are connected to Security Server. Clicking the number will display the list of storage devices, with details for each one: name, IP, type, date and time of the last connection.

    • Storage Scanning Status: indicates if the Security for Storage service is enabled or disabled.

    You can also view how many agents are connected to the Security Server. Further on, clicking the number of connected clients will display the list of endpoints. These endpoints may be vulnerable if the Security Server has issues.

  • Security Container Status

    Helps you evaluate the status of the target Security Container. You can identify the issues each Security Server might have, with the help of various status indicators, such as:

    • Security Container Name: the name of the container

    • IP: the IP address of the container

    • Container Host: displays the host managing this specific container

    • Status: shows the overall container status

    • Last Security Content Update: date at which the container was last updated

    • Security Content Update Status: shows if the security content is up to date or whether the updates have been disabled.

    • Product Update Status: shows if the product version is up to date or whether the updates have been disabled.

    • Current Product Version: product version currently installed on the container.

    • Last Product Update: date at which the Security Container was deployed.

      Note

      To update a Security Container you need to redeploy it with the new product version.

    • Latest Product Version: latest product version available.

  • Top 10 Detected Malware

    Shows you the top 10 malware threats detected over a specific time period on selected endpoints.

    Note

    The details table displays all endpoints which were infected by the top 10 detected malware.

  • Top 10 Infected Endpoints

    Shows you the top 10 most infected endpoints by the number of total detections over a specific time period out of the selected endpoints.

    Note

    The details table displays all malware detected on the top 10 infected endpoints.

  • Update Status

    Shows you the update status of the security agent installed on selected targets. The update status refers to product and security content versions.

    Shows you the update status of the security agent or Security Server installed on selected targets. The update status refers to product and security content versions.

    Using the available filters, you can easily find out which clients have updated and which have not in the last 24 hours.

    In this report, you can quickly bring the agents to the latest version. To do this, click the Update button from the Action Toolbar above the data table.

  • Upgrade Status

    Shows you the security agents installed on the selected targets and whether a more recent solution is available.

    For endpoints with old security agents installed, you can quickly install the latest supported security agent by clicking the Upgrade button.

    Note

    This report is available only when a GravityZone solution upgrade has been made.

  • Virtual Machines Network Protection Status

    Informs you of the Bitdefender protection coverage in your virtualized environment. For each of the selected machines, you can view which component resolves security issues:

    • Security Server, for agentless deployments in VMware NSX and vShield environments.

    • A security agent, in any other situation

  • Ransomware Activity

    Informs you with regards to the ransomware attacks that GravityZone detected on the endpoints you manage, and provides you with the necessary tools to recover the files affected during the attacks.

    The report is available as a page in Control Center, distinct from the other reports, accessible right from the Control Center main menu.

    The Ransomware Activity page consists of a grid that, for each ransomware attack, lists the following:

    • The name, IP address and FQDN of the endpoint on which the attack took place

    • The company to which the endpoint belongs

    • The name of the user who was logged in during the attack

    • The type of attack, respectively a local or a remote one

    • The process under which the ransomware ran for local attacks, or the IP address from which the attack was initiated for remote ones

    • Date and time of the detection

    • Number of files encrypted until the attack was blocked

    • The restore action status for all files on the target endpoint

    Some details are hidden by default. Click the Show/Hide Columns button in the upper right side of the page to configure the details you want to view in the grid. If you have many entries in the grid, you can choose to hide filters using the Show/Hide filters button in the upper right side of the page.

    Additional information is available by clicking the number for files. You can view a list with the full path to the original and restored files, and the restore status for all files involved in the selected ransomware attack.

    Important

    The backup copies are available for maximum 30 days. Please mind the date and time until files may still be recovered.

    To recover files from ransomware:

    1. Select the attacks you want in the grid.

    2. Click the Restore files button. A confirmation window shows up.

      A recovery task is being created. You can check its status in the Tasks page, just like for any other task in GravityZone.

    If detections are the result of legitimate processes, follow these steps:

    1. Select the records in the grid.

    2. Click the Add exclusion button.

    3. In the new window, select the policies to which the exclusion must apply.

    4. Click Add.

      GravityZone will apply all possible exclusions: on folder, on proccess, and on IP address.

      You can check or modify them in the Antimalware > Settings > Custom Exclusions policy section.

    Note

    Ransomware Activity keeps record of events for two years.

Exchange Server reports

These are the available report types for Exchange Servers:

  • Exchange - Blocked Content and Attachments

    Provides you with information about emails or attachments that Content Control deleted from the selected servers over a specific time interval. The information includes:

    • Email addresses of the sender and of the recipients.

      When the email has more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.

    • Email subject.

    • Detection type, indicating which Content Control filter detected the threat.

    • The action taken on the detection.

    • The server where the threat was detected.

  • Exchange - Blocked Unscannable Attachments

    Provides you with information about emails containing unscannable attachments (over-compressed, password-protected, etc.), blocked on the selected Exchange mail servers over a specific time period. The information refers to:

    • Email addresses of the sender and of the recipients.

      When the email is sent to more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.

    • Email subject.

    • The actions taken to remove the unscannable attachments:

      • Deleted Email, indicating that the entire email has been removed.

      • Deleted Attachments, a generic name for all actions that remove attachments from the email message, such as deleting the attachment, moving to quarantine or replacing it with a notice.

      By clicking the link in the Action column, you can view details about each blocked attachment and the corresponding action taken.

    • Detection date and time.

    • The server where the email was detected.

  • Exchange - Email Scan Activity

    Shows statistics on the actions taken by the Exchange Protection module over a specific time interval.

    The actions are grouped by detection type (malware, spam, forbidden attachment and forbidden content) and by server.

    The statistics refer to the following email statuses:

    • Quarantined. These emails were moved to the Quarantine folder.

    • Deleted/Rejected. These emails were deleted or rejected by the server.

    • Redirected. These emails were redirected to the email address supplied in the policy.

    • Cleaned and delivered. These emails had the threats removed and passed through the filters.

      An email is considered cleaned when all detected attachments have been disinfected, quarantined, deleted or replaced with text.

    • Modified and delivered. Scan information was added to the emails headers and the emails passed through the filters.

    • Delivered without any other action. These emails were ignored by Exchange Protection and passed through the filters.

  • Exchange - Malware Activity

    Provides you with information about emails with malware threats, detected on the selected Exchange mail servers over a specific time period. The information refers to:

    • Email addresses of the sender and of the recipients.

      When the email is sent to more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.

    • Email subject.

    • Email status after antimalware scan.

      By clicking the status link, you can view details about the detected malware and the action taken.

    • Detection date and time.

    • The server where the threat was detected.

  • Exchange - Top 10 Detected Malware

    Informs you about the top 10 most detected malware threats in email attachments. You can generate two views containing different statistics. One view shows the number of detections by affected recipients and one by senders.

    For example, GravityZone has detected one email with an infected attachment sent to five recipients.

    • In the recipients view:

      • The report shows five detections.

      • The report details shows only the recipients, not the senders.

    • In the senders view:

      • The report shows one detection.

      • The report details shows only the sender, not the recipients.

    Besides the sender/recipients and the malware name, the report provides you with the following details:

    • The malware type (virus, spyware, PUA, etc.)

    • The server where the threat was detected.

    • Measures that the Antimalware module has taken.

    • Date and time of the last detection.

  • Exchange - Top 10 Malware Recipients

    Shows you the top 10 email recipients most targeted by malware over a specific time interval.

    The report details provide you with the entire malware list that affected these recipients, together with the actions taken.

  • Exchange - Top 10 Spam Recipients

    Shows you the top 10 email recipients by the number of spam or phishing emails detected over a specific time interval. The report provides information also on the actions applied to the respective emails.

Mobile devices reports

Note

Malware protection and related reports are only available for Android devices.

This is the list of available report types for mobile devices:

  • Malware Status

    Helps you find out how many and which of the target mobile devices have been affected by malware over a specific time period and how the threats have been dealt with. Mobile devices are grouped based on these criteria:

    • Mobile devices with no detections (no malware threat has been detected over the specified time period)

    • Mobile devices with resolved malware (all detected files have been removed)

    • Mobile devices with existing malware (some of the detected files have not been deleted)

  • Malware Activity

    Provides you with details about the malware threats detected over a specific time period on target mobile devices. You can see:

    • Number of detections (files that have been found infected with malware)

    • Number of resolved infections (files that have been successfully removed from the device)

    • Number of unresolved infections (files that have not been removed from the device)

  • Top 10 Infected Devices

    Shows you the top 10 most infected mobile devices over a specific time period out of the target mobile devices.

    Note

    The details table displays all malware detected on the top 10 infected mobile devices.

  • Top 10 Detected Malware

    Shows you the top 10 malware threats detected over a specific time period on the target mobile devices.

    Note

    The details table displays all mobile devices which were infected by the top 10 detected malware.

  • Device Compliance

    Informs you of the compliance status of the target mobile devices. You can see the device name, status, operating system and the non-compliance reason.

    For more information regarding compliance requirements, please check Security.

  • Device Synchronization

    Informs you of the synchronization status of the target mobile devices. You can view the device name, the user it is assigned to, as well as the synchronization status, the operating system and the time when the device was last seen online.

    For more information, refer to Checking the Mobile Devices Status.

  • Blocked Websites

    Informs you about the number of attempts of the target devices to access websites which are blocked by Web Access rules, over a certain time interval.

    For each device with detections, click the number provided in the Blocked Websites column to view detailed information of each blocked web page, such as:

    • Website URL

    • Policy component that performed the action

    • Number of blocked attempts

    • Last time when the website was blocked

    For more information about the web access policy settings, refer to Profiles.

  • Web Security Activity

    Informs you about the number of attempts of the target mobile devices to access websites with security threats (phishing, fraud, malware or untrusted websites), over a certain time interval. For each device with detections, click the number provided in the Blocked Websites column to view detailed information of each blocked web page, such as:

    • Website URL

    • Type of threat (phishing, malware, fraud, untrusted)

    • Number of blocked attempts

    • Last time when the website was blocked

    Web Security is the policy component which detects and blocks websites with security issues. For more information about the web security policy settings, refer to Security.