Endpoint Protection

Version:  SEP 11.0.6

I have been through all the reports and search online for the answer, but alas I was unable to find it.
Perhaps I missed it along the way, but some help would be appreciated.


How do I create a report showing the following information.

1)  Computer/User that the risk was detected on (virus, spyware, trojan, etc.)
2)  Location of virus/trojan infected file and when it was found.
3)  What was done to the detected virus/trojan.


I can't seem to find this info anywhere to make a scheduled report.

Check these articles

https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm

https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm-part2

https://www-secure.symantec.com/connect/articles/metrics-using-data-sepm-part-three

So basically, getting this important information from a report is not possible in Symantec Endpoint Security anymore.


I would have to export logs and "manipulate" them to get what I am after.

You could create Notification alerts from Monitors- Notifications-Notification conditions-Add a notification condition.

Then you could select, signle risk event, or risk outbreak.

http://www.symantec.com/business/support/index?page=content&id=TECH104394&locale=en_US

In SEPM it is always better to export the logs and import in a excel .This will give you some useful data.The direct reports are not helpful in most of the situations....

Check the below article which will explain about the Risk Report

Title: 'About Risk reports and logs'
Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH95543&locale=en_US

After checking this you can decide which report to generate.

Thanks for all your feeback.

Although it would be nice and very helpful, to get this information from a report, I will look into your other suggestions and see what I can come up with.

Thanks again all.

Hi all,

This thread is now included in our weekly Security Solutions Contest.  Simply do your best to solve this thread, or the others included in the contest, and you could be crowned "King For A Week!"  Check out the blog for more details, or send me a PM.

Best,

Eric

I think if it was me wanting this info I would set up a SQL query in Excel (or Crystal Reports, of course) to connect directly to the SEM5 database and extract the data I wanted rather than jumping through the hoops of exporting the data and then massaging it in Excel. I would use the "SEM_COMPUTER" table to get the relevant computer info tied to the "Alerts" table to get the info on the risks. In this fashion the data would be current whenever I wanted the report and I would not have to export it and massage it each time I wanted the report.

Here's a sample SQL query you can use in Microsoft Query (in Excel) to get some report data as a starting point:

SELECT SEM_COMPUTER.COMPUTER_NAME, ALERTS.SOURCE, VIRUS.VIRUSNAME, ALERTS.NOOFVIRUSES, ALERTS.FILEPATH, ALERTS.DESCRIPTION, ACTUALACTION.ACTUALACTION, ALERTS.REQUESTEDACTION_IDX, ALERTS.SECONDARYACTION_IDX, ALERTS.ALERTDATETIME, ALERTS.USER_NAME
FROM sem5.dbo.ACTUALACTION ACTUALACTION, sem5.dbo.ALERTS ALERTS, sem5.dbo.SEM_COMPUTER SEM_COMPUTER, sem5.dbo.VIRUS VIRUS
WHERE SEM_COMPUTER.COMPUTER_ID = ALERTS.COMPUTER_IDX AND VIRUS.VIRUSNAME_IDX = ALERTS.VIRUSNAME_IDX AND ACTUALACTION.ACTUALACTION_IDX = ALERTS.ACTUALACTION_IDX

You'll need to set up a connection to your database and change the database name in the query above to match your SEP database name. Add or remove the actual columns that you want to see, sort it however you want it, and away you go...

Have a look at this article also

Trick to export customized reports from Symantec endpoint Manager

While all of your suggestions are great and some very creative, I am looking for more of an automated process to generate these reports on a weekly basis.

I am aware you can always schedule a task to run a batch file or script file with commands to pull from the SEPM database, all the information you need.  What I was hoping for was a built-in report.  Something that is included with the software and fully supported by Symantec.

I have learned in the past, when not using the provided tools, support for incorrect data, or processes to retrieve such data can not only be difficult to troubleshoot, it can also be unsupported.

Once again, thank you for your ideas, they are great ones!
However this doesn't answer my question, it only provides an unsupported work-around to it.

And to be fair, since the feature to have a report showing infected computers and what files were infected doesn't exist in Symantec Endpoint Security v11, asking people to spend time on this to "solve this thread", while commendable in its intent, was doomed to failure as the solution will only be available when/if Symantec adds it into the "Reporting Matrix" on a subsequent release.

Again, thank you for all your suggestions.  I would request people work on other peoples threads, as they do deserve your time and effort to help solve an issue I'm sure will have a greater benefit than this one, at this time.

Thank you everyone. 

Are you expecting a report which will get automatically generated and send to your mail ID.If yes it is possible refer below links

Creating administrator notifications

Creating notifications in the Symantec Endpoint Protection Manager

The type of report we're loking for is one that will be a weekly summary of any and all computers that were/are infected and what file was infected.

This allows us to give an overview to our IT Director, and he wants that report whether or not I'm in the office.  Usually at 6am in the morning.  This guy doesn't like to even contemplate being awake at that time of morning.  I would hate to see what sort of report would come from my sleepy mind on those days.

Notification reports are great, thanks for that info.  It actually answers the next question I had, but had not asked yet.
Unfortunately it doesn't appear to be able to do a weekly summary, unless I'm missing something.

I also having problem in creating the scheduled report, but anyway hopeing that the next release of SEP will have a better feature in reporting.

here's the thread that I propose to Symantec http://www.symantec.com/connect/idea/sep-reporting-feature-needs-be-working-properly

I think you went through all the possible notifications there.This is what we can get automatically from SEPM.

If you want to export the reports manually from the SEPM all possible logs and reports listed in the following KBs

About the different types of Symantec Endpoint Protection Manager Reports

About the information in the Risk reports and log

About the information in the TruScan proactive threat scan reports and logs