About attack reports

Deep Security enables you to generate a variety of reports. Reports display data for a time period that you specify. You can generate reports for particular computers, groups of computers, computers using a particular policy. You can also filter for certain event tags. For details on configuring reports, see Generate reports about alerts and other activity.

One of the reports that you can generate is the Attack Report, which contains a summary table and some additional information about the most frequent events. The summary tables provides this information:

 

Detect Mode:

Numbers of events where Deep Security is configured to detect issues and log events, but not take other actions.

Prevent Mode:

Numbers of events where Deep Security is configured to detect issues, generate events, and take some sort of action.

Total:

Total of the numbers in the Detect Mode and Prevent Mode columns

Ratio:

Percentage of events prevented compared to total number detected

Anti-Malware

Passed: Deep Security detected malware and logged an event.

For information on how to change the action that Deep Security takes when it detects malware, see Configure malware scans.

Cleaned: Deep Security cleaned an infected file by terminating processes or deleting registries, files, cookies, or shortcuts, depending on the type of malware.

Quarantined: Deep Security moved an infected file to the "identified files" folder.

Deleted: Deep Security deleted an infected file.

Access Denied: Deep Security prevented an infected file from being accessed, without removing the file from the system.

Terminated: A behavior monitoring scan determined that a process was compromised and terminated the process to prevent further infection. For details, see Enhanced anti-malware and ransomware scanning with behavior monitoring.

   
Firewall

Displays the number of events triggered by rule-based checks and configuration-based checks. For a list of events generated by configuration-based checks, see the events with IDs less than 200 in Firewall events.

   
Reconnaissance Scan

Number of reconnaissance scans detected by the Firewall module. For details about the types of reconnaissance scans and suggested actions, see Warning: Reconnaissance Detected. For information on configuring reconnaissance scan detection, see Firewall settings.

Reconnaissance scans are only performed in inline mode.    
Exploit

Number of events generated by the Intrusion Prevention rules provided by Trend Micro. There are 3 main types of Intrusion Prevention rules provided by Trend Micro:

  • Exploit: a specific exploit, usually signature based
  • Vulnerability: a specific vulnerability for which one or more exploits may exist
  • Smart: One or more known and unknown (zero-day) vulnerabilities. Policy and Info rules are sub-categories for Smart rules.

Intrusion Prevention rules also have an associated severity, depending on the severity of the issue that the rule identifies: Critical, High, Medium, Low.

   
Vulnerability    
Smart    
Policy    
Info    
Custom

Number of events generated by custom Intrusion Prevention rules that you have written.

Intrusion Prevention rules have an associated severity, depending on the severity of the issue that the rule identifies: Critical, High, Medium, Low.

   
Non-Rule Based

Number of events found by the Intrusion Prevention engine code, rather than by a rule.