At a high-level, you can use this document to learn how to improve your health scores, which will improve the overall security status of your environment.
| Note |
|---|
Based on your specific environment, you may need to perform additional steps that are not listed in this document. You can always contact Armor Support to determine how to improve the scores for your specific environment. |
...
- In the Armor Management Portal (AMP), in the landing page, review your Overall Health Score.
- This score is based on the average of the Protection, Detection, and Response scores.
- Review your Score Trends graph.
- If you see a downward trend for any of the score types, consider any recent changes you have made in your environment, such as:
Network or firewall changes
Upgrades or migrations
Application changes
Resource upgrades or downgrades on your server instances
OS or kernel patches
- If you see a downward trend for any of the score types, consider any recent changes you have made in your environment, such as:
...
- In the Armor Management Portal (AMP), in the left-side navigation, click Protection.
- Under the Service Health table, click Needs Attention.
- This action will display specific issues for your virtual machine that you can resolve to improve your score.
...
- In the Armor Management Portal (AMP), in the left-side navigation, click Detection.
- Under the Top Vulnerabilities table, click a specific vulnerability type.
- This action will take you the Vulnerability Scanning details screen where you can view a description of the vulnerability and the affected virtual machine.
...
The Response score is based on how long Armor or you (or someone on your account) take to respond to a Security Incident. As a result, to improve your score, be sure to promptly reply to a support ticket from Armor.
| Note |
|---|
You can update your notification settings so that you are notified about a support ticket via email. To learn more, see Configure notification preferences. |
...
To learn how to specifically improve the health scores of your environment, you can always send a support ticket.
| Note |
|---|
| To learn how to send a support ticket, see Armor Support. |
| Info |
|---|
Additionally, to learn more about how scores are calculated in the different dashboards, see: |
...
| hidden | true |
|---|
Malware - Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.
FIM - Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.
Some common issues are:
...
Armor has not received a log from the filebeat service in the past 4 hours.
...
FIM has not provided a heartbeat in the past 4 hours.
...
IDS has not provided a heartbeat in the past 4 hours.
...
Malware Protection has not provided a heartbeat in the past 4 hours.
...
FIM is not installed.
How can FIM not be installed if you installed the agent?
Maybe your agent was not properly configured; test your connection; if there is no connection then what is the next step?
Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.
...
IDS is not installed or enabled.
...
Malware Protection is not installed or configured.
...
Armor has not received a log from the filebeat service in the past 4 hours.
...
https://kb.firehost.co/display/AA/General+PDR+Score+Troubleshooting
THE RULES
...
- Make sure Trend is on
- Check Connectivity
- Manaully heartbeat the Trend agent
- Open a support ticket
...
Trend Micro Anti-Malware services utilize the following endpoints:
- 1a.epsec.armor.com, Trend Console, API
- 1b.epsec.armor.com, Trend DSM Heartbeat
- 1c.epsec.armor.com, Trend Relay
Trend Micro ports utilize the following:
- 4119/tcp, Trend Console, API
- 4120/tcp, Trend DSM Heartbeat
- 4122/tcp, Trend Relay
For Windows, run:
| Code Block |
|---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
| Code Block |
|---|
/opt/ds_agent/dsa_control -m |
...
- Make sure Trend is installed
- Check connectivity
- Manually heartbeat the Trend agent
- Check Trend component info
- Open a support ticket
...
Trend Micro Anti-Malware services utilize the following endpoints:
- 1a.epsec.armor.com, Trend Console, API
- 1b.epsec.armor.com, Trend DSM Heartbeat
- 1c.epsec.armor.com, Trend Relay
Trend Micro ports utilize the following:
- 4119/tcp, Trend Console, API
- 4120/tcp, Trend DSM Heartbeat
- 4122/tcp, Trend Relay
...
- Make sure Trend is installed
- Check connectivity
- Manually heartbeat the Trend agent
- Check Trend component info
- Open a support ticket
...
Trend Micro Anti-Malware services utilize the following endpoints:
- 1a.epsec.armor.com, Trend Console, API
- 1b.epsec.armor.com, Trend DSM Heartbeat
- 1c.epsec.armor.com, Trend Relay
Trend Micro ports utilize the following:
- 4119/tcp, Trend Console, API
- 4120/tcp, Trend DSM Heartbeat
- 4122/tcp, Trend Relay
...
- Reboot your server
...
- Make sure Trend is on
- Check Connectivity
- Manaully heartbeat the Trend agent
- Open a support ticket
...
- Make sure Trend is installed
- Check connectivity
- Manually heartbeat the Trend agent
- Check Trend component info
- Open a support ticket
...
- Make sure Trend is on
- Check connectivity
- Manually heartbeat the agent
- Do we have a good policy?
...
- Check to see if service is running
- Check connectivity
- Open a support ticket
Logging and r7:
- are they installed and running
- connecitivty check
- open a ticket