Page Comparison

...

id	1174059454

...

id	1174059475

Section

background-color	$lightGrayColor
id	1174059450

Table of Contents

maxLevel	3
minLevel	3

...

id	1174059464

At a high-level, you can use this document to learn how to improve your health scores, which will improve the overall security status of your environment.

Note

Based on your specific environment, you may need to perform additional steps that are not listed in this document.

You can always contact Armor Support to determine how to improve the scores for your specific environment.

Review Your Overall Health Score

In the Armor Management Portal (AMP), in the landing page, review your Overall Health Score.
- This score is based on the average of the Protection, Detection, and Response scores.
Review your Score Trends graph.
- If you see a downward trend for any of the score types, consider any recent changes you have made in your environment, such as:
  - Network or firewall changes
  - Upgrades or migrations
  - Application changes
  - Resource upgrades or downgrades on your server instances
  - OS or kernel patches

Review Your Protection Score

In the Armor Management Portal (AMP), in the left-side navigation, click Protection.
Under the Service Health table, click Needs Attention.
- This action will display specific issues for your virtual machine that you can resolve to improve your score.

Review Your Detection score

In the Armor Management Portal (AMP), in the left-side navigation, click Detection.
Under the Top Vulnerabilities table, click a specific vulnerability type.
- This action will take you the Vulnerability Scanning details screen where you can view a description of the vulnerability and the affected virtual machine.

Review Your Response Score

The Response score is based on how long Armor or you (or someone on your account) take to respond to a SecurityIncident. As a result, to improve your score, be sure to promptly reply to a support ticket from Armor.

Note

You can update your notification settings so that you are notified about a support ticket via email.

To learn more, see Configure notification preferences.

Open a Support Ticket

To learn how to specifically improve the health scores of your environment, you can always send a support ticket.

Note
To learn how to send a support ticket, see Armor Support.

Info

Additionally, to learn more about how scores are calculated in the different dashboards, see:

Health Overview Dashboard

Excerpt

hidden	true

Malware - Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

FIM - Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

Some common issues are:

Issue	Remediation
Armor has not received a log from the filebeat service in the past 4 hours.
FIM has not provided a heartbeat in the past 4 hours.
IDS has not provided a heartbeat in the past 4 hours.
Malware Protection has not provided a heartbeat in the past 4 hours.	Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.
FIM is not installed.	How can FIM not be installed if you installed the agent? Maybe your agent was not properly configured; test your connection; if there is no connection then what is the next step? Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.
IDS is not installed or enabled.	How IDS not be installed or enabled if it is a part of the agent installation?
Malware Protection is not installed or configured.	Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.
Armor has not received a log from the filebeat service in the past 4 hours.	Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

https://kb.firehost.co/display/AA/General+PDR+Score+Troubleshooting

THE RULES

Check Description	Output / Result in AMP if Triggered	Remediation message
If latest CORE heartbeat is > 4 hours old	The CORE Agent has not sent a heartbeat in the past 4 hours.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If CORE Agent is not running latest version	The CORE Agent is not running the latest available version.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If latest Trend heartbeat is > 4 hours old	Malware Protection has not provided a heartbeat in the past 4 hours.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Anti-Malware is "On, matching module plug-in not found"	Malware Protection is not installed or configured.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Anti-Malware is not "On"	Malware Protection is not installed or configured.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Anti-Malware status is "Computer reboot required"	Reboot is required for Malware Protection.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If latest Trend heartbeat is > 4 hours old	FIM has not provided a heartbeat in the past 4 hours.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If FIM is not "On, Realtime", or "On" with > 0 rules	FIM is installed but has not been configured.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If FIM is "On, matching module plug-in not found"	FIM is installed but has not been configured.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If FIM is not "On"	FIM is not installed.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Filebeat is not running the latest version	The filebeat logging agent is not running the latest available version.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Filebeat agent is not installed	The filebeat logging agent is not installed.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Winlogbeat is not running the latest version	The winlogbeat logging agent is not running the latest available version.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Winlogbeat agent is not installed	The winlogbeat logging agent is not installed.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If last received log for that COREID is > 4 hours old	Armor has not received a log in the past 4 hours.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Panopta is not Installed	The Monitoring agent is not installed.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Panopta is not running the latest version
If Bomgar is not Installed	The Remote Support agent is not installed.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.


If latest Trend heartbeat is > 4 hours old	IDS has not provided a heartbeat in the past 4 hours.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IDS is not "On" and has > 0 rules	IDS is installed but has not been configured.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IDS is not "On"	IDS is not installed or enabled.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IR Agent is not installed	The Vulnerability Scanning agent is not installed.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IR Agent did not scan in previous scan period	The Vulnerability Scanning agent did not run during the most recent scan.	While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
Optional Services

Armor service

Protection screen message

Service remediation

Step 1

Step 2

Step 3

Step 4

Malware Protection

If latest Trend heartbeat is > 4 hours old

Make sure Trend is on
Check Connectivity
Manaully heartbeat the Trend agent
Open a support ticket

Trend Micro Anti-Malware services utilize the following endpoints:

1a.epsec.armor.com, Trend Console, API
1b.epsec.armor.com, Trend DSM Heartbeat
1c.epsec.armor.com, Trend Relay

Trend Micro ports utilize the following:

4119/tcp, Trend Console, API
4120/tcp, Trend DSM Heartbeat
4122/tcp, Trend Relay

For Windows, run:

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m HTTP Status: 200 - OK Response: Manager contact has been scheduled to occur in the next few seconds.

For Linux, run

Code Block
/opt/ds_agent/dsa_control -m

If Anti-Malware is "On, matching module plug-in not found"

Make sure Trend is installed
Check connectivity
Manually heartbeat the Trend agent
Check Trend component info
Open a support ticket

Trend Micro Anti-Malware services utilize the following endpoints:

1a.epsec.armor.com, Trend Console, API
1b.epsec.armor.com, Trend DSM Heartbeat
1c.epsec.armor.com, Trend Relay

Trend Micro ports utilize the following:

4119/tcp, Trend Console, API
4120/tcp, Trend DSM Heartbeat
4122/tcp, Trend Relay

If Anti-Malware is not "On"

Make sure Trend is installed
Check connectivity
Manually heartbeat the Trend agent
Check Trend component info
Open a support ticket

Trend Micro Anti-Malware services utilize the following endpoints:

1a.epsec.armor.com, Trend Console, API
1b.epsec.armor.com, Trend DSM Heartbeat
1c.epsec.armor.com, Trend Relay

Trend Micro ports utilize the following:

4119/tcp, Trend Console, API
4120/tcp, Trend DSM Heartbeat
4122/tcp, Trend Relay

If Anti-Malware status is "Computer reboot required"

Reboot your server

FIM

HB

Make sure Trend is on
Check Connectivity
Manaully heartbeat the Trend agent
Open a support ticket

On with rules

Module not found

Make sure Trend is installed
Check connectivity
Manually heartbeat the Trend agent
Check Trend component info
Open a support ticket

Not on

"FIM is not installed"

IDS

HB

Make sure Trend is on
Check connectivity
Manually heartbeat the agent
Do we have a good policy?

Configured with rules

Installed

Logging

Filebeat agent is not running the latest version

Nothing - uninstall

Filebeat agent not installed

1.

R7 (vulnerability scanning)

Installed (VS agent is not installed)

Check for installation
Add VS scanning

scan results in import (VS agent did not during the most recent scan)

Check to see if service is running
Check connectivity
Open a support ticket

Logging and r7:

are they installed and running
connecitivty check
open a ticket

Was this helpful?

Table of Contents

maxLevel	3
minLevel	3

Versions Compared

Old Version 42

New Version 43

Key

Review Your Overall Health Score

Review Your Protection Score

Review Your Detection score

Review Your Response Score

Open a Support Ticket

THE RULES

Was this helpful?