Report types
The reports you have access to may vary depending on factors such as:
Company account
User rights
Network view
License
These are all the reports currently available in the GravityZone Control Center:
Antiphishing Activity
Informs you about the activity of the Antiphishing module of Bitdefender Endpoint Security Tools. You can view the number of blocked phishing websites on the selected endpoints and the user that was logged in at the time of the last detection. By clicking the links from the Blocked Websites column, you can also view the website URLs, the number of block occurrences, and the date of the last event.
The report also includes a classification of the detection events and affected endpoints as follows:
Top 10 domains blocked on endpoints details the most frequently detected domains. This information is only available in PDF format.
Top 10 affected endpoints informs you about the endpoints that have the most Antiphishing detections. This information is only available in PDF format.
Affected endpoints presents the total number of endpoints with at least one detection.
Total detections provides the total number of phishing detections on all endpoints.
Blocked Applications
Informs you about the activity of the following modules:
Antimalware
Firewall
Content Control
ATC/IDS
Blocklist
Advanced Anti-Exploit
Anti-tampering
You can view the number of blocked applications on the selected endpoints and the user that was logged in at the time of the last detection.
Clicking the number associated with a target provides additional information on the blocked applications. Such information includes the number of events that occurred, and the date and time of the last Block event.
In this report, you can quickly instruct the protection modules to allow the selected application to run on the target endpoint:
Click the Add Exclusion button to define exceptions in the following modules:
Antimalware
ATC
Content Control
Firewall
A confirmation window will show up, informing you of the new rule that will modify the existing policy for that specific endpoint.
Click the Add Rule button to define a rule for an application or a process in Application Control. In the configuration window, apply the rule to an existing policy. A message will inform you of the new rule that will modify the policy assigned to that specific endpoint.
The report also displays the number of access attempts and if the module is running in Test Mode or in Production Mode.
Blocked Websites
Informs you about the activity of the Web Control module of Bitdefender Endpoint Security Tools. For each target, you can view the number of blocked websites. By clicking this number, you can view additional information, such as:
Website URL and category
Number of access attempts per website
Date and time of the last attempt, as well as the user that was logged in at the time of the detection.
Reason for blocking, which includes scheduled access, malware detection, category filtering and blacklisting.
Data Protection
Informs you about the activity of the Data Protection module of Bitdefender Endpoint Security Tools. You can view the number of blocked emails and websites on the selected endpoints, as well as the user that was logged in at the time of the last detection.
Device Control Activity
Informs you about the events that occurred when monitored devices on the endpoints are accessed. For each target endpoint, you can view the number of allow, block and read-only events. Each event can provide you with additional information when clicking the corresponding numbers:
Logged-in user
Device type and ID
Device vendor and product ID
Date and time of the event.
Endpoint Encryption Status
Informs you about the encryption status of the endpoints. The pie chart displays the number of endpoints that are compliant or non-compliant with the encryption policy settings.
The table below the pie chart delivers details such as:
Endpoint name
Fully Qualified Domain Name (FQDN)
Endpoint IP
Operating system
Device policy compliance:
Compliant – when the volumes are all encrypted or unencrypted according to the policy.
Non-compliant – when the status of the volumes is inconsistent with the assigned policy. For example, only one of two volumes is encrypted or an encryption process is in progress on that volume.
Volumes summary
Click the numbers in the Volumes Summary column to view information about each volume of the endpoint: ID, name, encryption status (Encrypted or Unencrypted), issues, type (Boot or Non-boot), size, recovery key ID.
Device policy (Encrypt or Decrypt)
Endpoint Modules Status
Offers an overview of module coverage for selected targets. In the report details, for each target endpoint, you can view which modules are active, disabled or not installed, and also the scanning engine in use. Clicking the endpoint name will display the Information window with details about the endpoint and installed protection layers.
You can start a task to change the settings of one or several selected endpoints by clicking the Reconfigure agent button, located above the grid. For details, refer to Reconfigure agent.
Endpoint Protection Status
Provides you with various status information concerning the selected endpoints from your network:
Endpoint name
Endpoint IP
Container host
Bitdefender Endpoint Security Tools update status
Last update
Antimalware protection status
Management status
Network activity status (online/offline)
You can apply various filters by to find the information you are looking for.
Firewall Activity
Informs you about the activity of the Firewall module of Bitdefender Endpoint Security Tools. You can view the number of blocked traffic attempts and blocked port scans on the selected endpoints, as well as the user that was logged in at the time of the last detection.
HyperDetect Activity
Informs you about the activity of the HyperDetect module of Bitdefender Endpoint Security Tools.
The chart in the upper side of the report page shows you the dynamics of the attack attempts over the specified period of time and their distribution by type of attack.
You can interact with the chart in the following ways:
Hovering over the legend entries will highlight the associated attack type in the chart.
Clicking the entry will show or hide the respective line in the chart.
Clicking any point on a line will filter your table data according to the selected type. For example, if you click any point on the orange line, the table will display only exploits.
The details in the lower part of the report help you identify the malicious attempts in your network and if they were addressed. They refer to:
The path to the malicious file
For fileless attacks, the file path provides the name of the executable used in the attack. Clicking the file path link opens a details window that displays the detection reason and the malicious command line.
The endpoint on which the detection occurred
The protection module that detected the threat
As HyperDetect is an additional layer of the Antimalware and Content Control modules, the report will provide information about one of these two modules, depending on the type of detection.
The type of the intended attack (targeted attack, grayware, exploits, ransomware, suspicious network traffic and files)
The threat status
The module protection level set when the threat was detected (permissive, normal, or aggressive)
Number of times the threat was detected
Most recent detection
Identification as a fileless attack (yes or no), to quickly filter the fileless attack detections
The exact name of the detected threat
The file hash
Note
A file may be used in multiple types of attacks. Therefore, GravityZone reports it for each type of attack it was involved in.
From this report, you can quickly resolve false positives, by adding exceptions in the assigned security policies. To do so, follow these steps:
Select as many entries in the table as you need.
Note
Fileless attack detections cannot be added to the exceptions list, because the detected executable is not malware itself, but can be a threat when using a malicious encoded command line.
Click the Add exception button at the upper side of the table.
In the configuration window, select the policies to which the exception should be added and then click Add.
By default, related information for each added exception is sent to Bitdefender Labs, improving the detection capabilities of Bitdefender products. You can control whether to submit this information using the Submit this feedback to Bitdefender for a better analysis checkbox.
If the threat was detected by the Antimalware module, the exception will apply to both On-access and On-demand scanning modes.
Note
You can find these exceptions in the following sections of the selected policies: Antimalware > Settings for files, and Network Protection > Traffic for URLs.
Malware Status
Helps you find out how many and which of the selected endpoints have had contact with malware (be that a prevented attack or situations that needed user intervention) over a specific time period and how the threats have been dealt with. You can also see the user that was logged in at the time of the last detection.
Endpoints are grouped based on these criteria:
Endpoints with no detections (no malware threat has been detected over the specified time period).
Endpoints with resolved malware (all detected files have been successfully disinfected or moved to quarantine).
Endpoints with unresolved malware (some of the detected files have been denied access to).
You can view the list of threats and paths to the affected files, for each endpoint, by clicking the links available in the disinfection result columns.
In this report, you can quickly run a Full Scan task on the unresolved targets, by clicking the Scan infected targets button from the Action Toolbar above the data table.
Bitdefender MDR Service Status
Provides a high-level overview of Bitdefender MDR protection coverage for all your managed companies and their networks.
The report includes a list of all your managed companies, licensing information, Bitdefender MDR service and onboarding status, and network coverage.
You can view additional information on the displayed managed companies by clicking on the names in the Company Name column.
Network Incidents
Informs you about the activity of the Network Attack Defense module. A graph displays the number of the attack attempts detected over a specified interval. The report details include:
Endpoint name, IP and FQDN
Username
Detection name
Attack technique
Number of attempts
Attacker’s IP
Targeted IP and port
When the attack was blocked most recently
Clicking the Add exceptions button for a selected detection automatically creates an entry in Global Exclusions from the Network Protection section.
Network Protection Status
Provides detailed information on the overall security status of the target endpoints. For example, you can view information about:
Available protection layers
Managed and unmanaged endpoints
License type and status (additional license related columns are hidden by default)
Infection status
Update status of the product and security content
Software security patch status (missing security or non-security patches)
Users who logged into the computer
For unmanaged endpoints, you can view the Unmanaged status under other columns.
On-demand Scanning
Provides information regarding on-demand scans performed on the selected targets. A pie chart displays the statistics of successful and failed scans. The table below the chart provides details regarding the scan type, occurrence and last successful scan for each endpoint.
Policy Compliance
Provides information regarding the security policies applied on the selected targets. A pie chart displays the status of the policy. In the table below the chart, you can view the assigned policy on each endpoint and the policy type, as well as the date and the user that assigned it.
Sandbox Analyzer Failed Submissions
Displays all failed submissions of objects sent from the endpoints to Sandbox Analyzer over a specified time period. A submission is considered failed after several retry attempts.
The graphic shows the variation of the failed submissions during the selected period, while in the report details table you can view which files could not be sent to Sandbox Analyzer, the endpoint where the object was sent from, date and time for each retry, the error code returned, description of each failed retry and the company name.
Sandbox Analyzer Results
Provides you with detailed information related to the files on target endpoints, which were analyzed in the sandbox over a specified time period. A line chart displays the number of the clean or dangerous analyzed files, while the table presents you with details on each case.
You are able generate a Sandbox Analyzer Results report for all analyzed files or only for those detected as malicious.
You can view:
Analysis verdict, saying whether the file is clean, dangerous or unknown (Threat detected / No threat detected / Unsupported). This column shows up only when you select the report to display all analyzed objects.
To view the complete list with file types and extensions supported by Sandbox Analyzer, refer to Supported File Types and Extensions for Manual Submission .
Threat type, such as adware, rootkit, downloader, exploit, host-modifier, malicious tools, password stealer, ramsomware, spam, or Trojan.
Date and time of the detection, which you can filter depending on the reporting period.
Hostname or IP of the endpoint where the file was detected.
Name of the files, if they were submitted individually, or number of analyzed files in case of a bundle. Click the file name or bundle link to view details and actions taken.
Remediation action status for the submitted files (Partial, Failed, Reported Only, Successful).
Company name.
More information about the properties of the analyzed file is available by clicking the Read more button in the Analysis Result column. Here you can view security insights and detailed reporting on the sample behavior.
Sandbox Analyzer captures the following behavioral events:
Writing / deleting / moving / duplicating / replacing files on the system and on removable drives.
Execution of newly-created files.
Changes to the file system.
Changes to the applications running inside the virtual machine.
Changes to the Windows taskbar and Start menu.
Creating / terminating / injecting processes.
Writing / deleting registry keys.
Creating mutex objects.
Creating / starting / stopping / modifying / querying / deleting services.
Changing browser security settings.
Changing Windows Explorer display settings.
Adding files to firewall exception list.
Changing network settings.
Enabling execution at system startup.
Connecting to a remote host.
Accessing certain domains.
Transferring data to and from certain domains.
Accessing URLs, IPs and ports through various communication protocols.
Checking the indicators of virtual environment.
Checking the indicators of monitoring tools.
Creating snapshots.
SSDT, IDT, IRP hooks.
Memory dumps for suspicious processes.
Windows API functions calls.
Becoming inactive for a certain time period to delay execution.
Creating files with actions to be executed at certain time intervals.
In the Analysis Result window, click the Download button to save to your computer the Behavior Summary content in the following formats: XML, HTML, JSON, PDF.
Alternatively, you can use submission cards to gather the necessary information on analyzed samples. The submission cards are available in the Sandbox Analyzer section, in the main menu of Control Center.
Security Audit
Provides information about the security events that occurred on a selected target. The information refers to the following events:
Malware detection
Blocked application
Blocked scan port
Blocked traffic
Blocked website
Blocked device
Blocked email
Blocked process
Advanced Anti-Exploit events
Network Attack Defense events
Anti-tampering events
To simplify the analysis of Antimalware detections, the report classifies them along with the affected endpoints based on different criteria as follows:
Top 10 malware by number of endpoints, details the most frequent Antimalware detections (available only in PDF format).
Top 10 endpoints by number of Antimalware detections, which informs you about the endpoints that have the most Antimalware detection (available only in PDF format).
Endpoints, which presents the total number of endpoints with at least one Antimalware detection.
Detections, which provides the total number of Antimalware detections on all endpoints.
Security Container Status
Helps you evaluate the status of the target Security Container. You can identify the issues each Security Server might have, with the help of various status indicators, such as:
Security Container Name: the name of the container
IP: the IP address of the container
Container Host: displays the host managing this specific container
Status: shows the overall container status
Last Security Content Update: date at which the container was last updated
Security Content Update Status: shows if the security content is up to date or whether the updates have been disabled.
Product Update Status: shows if the product version is up to date or whether the updates have been disabled.
Current Product Version: product version currently installed on the container.
Last Product Update: date at which the Security Container was deployed.
Note
To update a Security Container you need to redeploy it with the new product version.
Latest Product Version: latest product version available.
Security Server Status
Helps you evaluate the status of the target Security Servers. You can identify the issues each Security Server might have, with the help of various status indicators, such as:
Status: shows the overall Security Server status.
Machine status: informs which Security Server appliances are stopped.
AV status: points out whether the Antimalware module is enabled or disabled.
Update status: shows if the Security Server appliances are updated or whether the updates have been disabled.
Load status: indicates the scan load level of a Security Server as described here:
Underloaded, when less than 5% of its scanning capacity is used.
Normal, when the scan load is balanced.
Overloaded, when the scan load exceeds 90% of its capacity. In such case, check the security policies. If all Security Servers allocated within a policy are overloaded, you need to add another Security Server to the list. Otherwise, check the network connection between the clients and Security Servers without load issues.
Connected Storage Devices: informs how many ICAP-compliant storage devices are connected to the Security Server. Clicking the number will display the list of storage devices, with details for each one: name, IP, type, date and time of the last connection.
Storage Scanning Status: indicates if the Security for Storage service is enabled or disabled.
You can also view how many agents are connected to the Security Server. Further on, clicking the number of connected clients will display the list of endpoints. These endpoints may be vulnerable if the Security Server has issues.
Top 10 Detected Malware
Shows you the top 10 malware threats detected over a specific time period on selected endpoints.
Note
The details table displays all endpoints which were infected by the top 10 detected malware.
Top 10 Infected Endpoints
Shows you the top 10 most infected endpoints by the number of total detections over a specific time period out of the selected endpoints.
Note
The details table displays all malware detected on the top 10 infected endpoints.
Update Status
Shows you the update status of the security agent installed on selected targets. The update status refers to product and security content versions.
Shows you the update status of the security agent or Security Server installed on selected targets. The update status refers to product and security content versions.
Using the available filters, you can easily find out which clients have updated and which have not in the last 24 hours.
In this report, you can quickly bring the agents to the latest version. To do this, click the Update button from the Action Toolbar above the data table.
Virtual Machines Network Protection Status
Informs you of the Bitdefender protection coverage in your virtualized environment. For each of the selected machines, you can view which component resolves security issues:
Security Server, for agentless deployments in VMware NSX environments
A security agent, in any other situation
Ransomware Activity
Informs you with regards to the ransomware attacks that GravityZone detected on the endpoints you manage, and provides you with the necessary tools to recover the files affected during the attacks.
The report is available as a page in Control Center, distinct from the other reports, accessible right from the Control Center main menu.
The Ransomware Activity page consists of a grid that, for each ransomware attack, lists the following:
The name, IP address and FQDN of the endpoint on which the attack took place
The company to which the endpoint belongs
The name of the user who was logged in during the attack
The type of attack, respectively a local or a remote one
The process under which the ransomware ran for local attacks, or the IP address from which the attack was initiated for remote ones
Date and time of the detection
Number of files encrypted until the attack was blocked
The restore action status for all files on the target endpoint
Some details are hidden by default. Click the Show/Hide Columns button in the upper right side of the page to configure the details you want to view in the grid. If you have many entries in the grid, you can choose to hide filters using the Show/Hide filters button in the upper right side of the page.
Additional information is available by clicking the number for files. You can view a list with the full path to the original and restored files, and the restore status for all files involved in the selected ransomware attack.
Important
The backup copies are available for maximum 30 days. Please mind the date and time until files may still be recovered.
To recover files from ransomware, follow these steps:
Select the attacks you want in the grid.
Click the Restore files button. A confirmation window shows up.
A recovery task is being created. You can check its status in the Tasks page, just like for any other task in GravityZone.
If detections are the result of legitimate processes, follow these steps:
Select the records in the grid.
Click the Add exclusion button.
In the new window, select the policies to which the exclusion must apply.
Click Add.
GravityZone will apply all possible exclusions: on folder, on process, and on IP address.
You can check or modify them in the Antimalware > Settings > Custom Exclusions policy section.
Note
Ransomware Activity keeps record of events for two years.
[Exchange] Blocked Content and Attachments
Provides you with information about emails or attachments that Content Control deleted from the selected servers over a specific time interval. The information includes:
Email addresses of the sender and of the recipients.
When the email has more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.
Email subject.
Detection type, indicating which Content Control filter detected the threat.
The action taken on the detection.
The server where the threat was detected.
[Exchange] Blocked Unscannable Attachments
Provides you with information about emails containing unscannable attachments (over-compressed, password-protected, etc.), blocked on the selected Exchange mail servers over a specific time period. The information refers to:
Email addresses of the sender and of the recipients.
When the email is sent to more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.
Email subject.
The actions taken to remove the unscannable attachments:
Deleted Email, indicating that the entire email has been removed.
Deleted Attachments, a generic name for all actions that remove attachments from the email message, such as deleting the attachment, moving to quarantine or replacing it with a notice.
By clicking the link in the Action column, you can view details about each blocked attachment and the corresponding action taken.
Detection date and time.
The server where the email was detected.
[Exchange] Email Scan Activity
Shows statistics on the actions taken by the Exchange Protection module over a specific time interval.
The actions are grouped by detection type (malware, spam, forbidden attachment and forbidden content) and by server.
The statistics refer to the following email statuses:
Quarantined. These emails were moved to the Quarantine folder.
Deleted/Rejected. These emails were deleted or rejected by the server.
Redirected. These emails were redirected to the email address supplied in the policy.
Cleaned and delivered. These emails had the threats removed and passed through the filters.
An email is considered cleaned when all detected attachments have been disinfected, quarantined, deleted or replaced with text.
Modified and delivered. Scan information was added to the emails headers and the emails passed through the filters.
Delivered without any other action. These emails were ignored by Exchange Protection and passed through the filters.
[Exchange] Malware Activity
Provides you with information about emails with malware threats, detected on the selected Exchange mail servers over a specific time period. The information refers to:
Email addresses of the sender and of the recipients.
When the email is sent to more recipients, instead of the email addresses, the report displays the recipients number with a link to a window containing the list of email addresses.
Email subject.
Email status after antimalware scan.
By clicking the status link, you can view details about the detected malware and the action taken.
Detection date and time.
The server where the threat was detected.
[Exchange] Top 10 Detected Malware
Informs you about the top 10 most detected malware threats in email attachments. You can generate two views containing different statistics. One view shows the number of detections by affected recipients and one by senders.
For example, GravityZone has detected one email with an infected attachment sent to five recipients.
In the recipients view:
The report shows five detections.
The report details shows only the recipients, not the senders.
In the senders view:
The report shows one detection.
The report details shows only the sender, not the recipients.
Besides the sender/recipients and the malware name, the report provides you with the following details:
The malware type (virus, spyware, PUA, etc.)
The server where the threat was detected.
Measures that the Antimalware module has taken.
Date and time of the last detection.
[Exchange] Top 10 Malware Recipients
Shows you the top 10 email recipients most targeted by malware over a specific time interval.
The report details provide you with the entire malware list that affected these recipients, together with the actions taken.
[Exchange] Top 10 Spam Recipients
Shows you the top 10 email recipients by the number of spam or phishing emails detected over a specific time interval. The report provides information also on the actions applied to the respective emails.
Mobile Devices - Malware Status
Helps you find out how many and which of the target mobile devices have been affected by malware over a specific time period and how the threats have been dealt with. Mobile devices are grouped based on these criteria:
Mobile devices with no detections (no malware threat has been detected over the specified time period)
Mobile devices with resolved malware (all detected files have been removed)
Mobile devices with existing malware (some of the detected files have not been deleted)
Mobile Devices - Malware Activity
Provides you with details about the malware threats detected over a specific time period on target mobile devices. You can view:
Number of detections (files that have been found infected with malware)
Number of resolved infections (files that have been successfully removed from the device)
Number of unresolved infections (files that have not been removed from the device)
Mobile Devices - Top 10 Infected Devices
Shows you the top 10 most infected mobile devices over a specific time period out of the target mobile devices.
Note
The details table displays all malware detected on the top 10 infected mobile devices.
Mobile Devices - Top 10 Detected Malware
Shows you the top 10 malware threats detected over a specific time period on the target mobile devices.
Note
The details table displays all mobile devices which were infected by the top 10 detected malware.
Mobile Devices - Device Compliance
Informs you of the compliance status of the target mobile devices. You can view the device name, status, operating system and the non-compliance reason.
For more information regarding compliance requirements, please check Security.
Mobile Devices - Device Synchronization
Informs you of the synchronization status of the target mobile devices. You can view the device name, the user it is assigned to, as well as the synchronization status, the operating system and the time when the device was last seen online.
For more information, refer to Checking the Mobile Devices Status.
Mobile Devices - Blocked Websites
Informs you about the attempts to access websites blocked by Web Access rules, on target devices, in the specified time frame.
For each device with detections, click the number provided in the Blocked Websites column to view detailed information of each blocked website, such as:
Website URL
Policy component that performed the action
Number of blocked attempts
Last time when the website was blocked
For more information about the web access policy settings, refer to Profiles.
Mobile Devices - Web Security Activity
Informs you about the attempts to access websites with security threats (phishing, fraud, malware or untrusted websites), on target devices, in the specified time frame.
For each device with detections, click the number provided in the Blocked Websites column to view detailed information of each blocked website, such as:
Website URL
Type of threat (phishing, malware, fraud, untrusted)
Number of blocked attempts
Last time when the website was blocked
Web Security is the policy component which detects and blocks websites with security issues. For more information about the web security policy settings, refer to Security.