About attack reports
Deep Security enables you to generate a variety of reports. Reports display data for a time period that you specify. You can generate reports for particular computers, groups of computers, computers using a particular policy. You can also filter for certain event tags. For details on configuring reports, see Generate reports about alerts and other activity.
One of the reports that you can generate is the Attack Report, which contains a summary table and some additional information about the most frequent events. The summary tables provides this information:
Detect Mode: Numbers of events where Deep Security is configured to detect issues and log events, but not take other actions. |
Prevent Mode: Numbers of events where Deep Security is configured to detect issues, generate events, and take some sort of action. |
Total: Total of the numbers in the Detect Mode and Prevent Mode columns |
Ratio: Percentage of events prevented compared to total number detected |
|
---|---|---|---|---|
Anti-Malware |
Passed: Deep Security detected malware and logged an event. For information on how to change the action that Deep Security takes when it detects malware, see Configure malware scans and exclusions |
Cleaned: Deep Security cleaned an infected file by terminating processes or deleting registries, files, cookies, or shortcuts, depending on the type of malware. Quarantined: Deep Security moved an infected file to the "identified files" folder. Deleted: Deep Security deleted an infected file. Access Denied: Deep Security prevented an infected file from being accessed, without removing the file from the system. Terminated: A behavior monitoring scan determined that a process was compromised and terminated the process to prevent further infection. For details, see Enhanced anti-malware and ransomware scanning with behavior monitoring. |
||
Firewall |
Displays the number of events triggered by rule-based checks and configuration-based checks. For a list of events generated by configuration-based checks, see the events with IDs less than 200 in Firewall events. |
|||
Reconnaissance Scan |
Number of reconnaissance scans detected by the Firewall module. For details about the types of reconnaissance scans and suggested actions, see Warning: Reconnaissance Detected. For information on configuring reconnaissance scan detection, see Firewall settings. |
Reconnaissance scans are only performed in inline mode. | ||
Exploit |
Number of events generated by the Intrusion Prevention rules provided by Trend Micro. There are 3 main types of Intrusion Prevention rules provided by Trend Micro:
Intrusion Prevention rules also have an associated severity, depending on the severity of the issue that the rule identifies: Critical, High, Medium, Low. |
|||
Vulnerability | ||||
Smart | ||||
Policy | ||||
Info | ||||
Custom |
Number of events generated by custom Intrusion Prevention rules that you have written. Intrusion Prevention rules have an associated severity, depending on the severity of the issue that the rule identifies: Critical, High, Medium, Low. |
|||
Non-Rule Based |
Number of events found by the Intrusion Prevention engine code, rather than by a rule. |