Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

At a high-level, you can use this document to learn how to improve your health scores, which will improve the overall security status of your environment. 

Note

Based on your specific environment, you may need to perform additional steps that are not listed in this document.

You can always contact Armor Support to determine how to improve the scores for your specific environment.


Step 1: Review Your Overall Health Score

  1. In the Armor Management Portal (AMP), in the landing page, review your Overall Health Score
    • This score is based on the average of the Protection, Detection, and Response scores. 
  2. Review your Score Trends graph. 
    • If you see a downward trend for any of the score types, consider any recent changes you have made in your environment, such as: 
      • Network or firewall changes

      • Upgrades or migrations

      • Application changes

      • Resource upgrades or downgrades on your server instances

      • OS or kernel patches 


Step 2: Review Your Protection Score

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Protection
  2. Under the Service Health table, click Needs Attention.
    • This action will display specific issues for your virtual machine that you can resolve to improve your score.


Step 3: Review Your Detection score

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Detection
  2. Under the Top Vulnerabilities table, click a specific vulnerability type.
    • This action will take you the Vulnerability Scanning details screen where you can view a description of the vulnerability and the affected virtual machine.


Step 4: Review Your Response Score

The Response score is based on how long Armor or you (or someone on your account) take to respond to a Security Incident. As a result, to improve your score, be sure to promptly reply to a support ticket from Armor.

Note

You can update your notification settings so that you are notified about a support ticket via email.

To learn more, see Configure notification preferences.


Step 5: Open a Support Ticket

To learn how to specifically improve the health scores of your environment, you can always send a support ticket. 

...

Excerpt
hiddentrue

Malware - Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.


FIM - Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.


Patching - You are responsible for implementing patches.


Some common issues are: 

IssueRemediation

Armor has not received a log from the filebeat service in the past 4 hours.


FIM has not provided a heartbeat in the past 4 hours.


IDS has not provided a heartbeat in the past 4 hours.


Malware Protection has not provided a heartbeat in the past 4 hours.

Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

FIM is not installed.

How can FIM not be installed if you installed the agent?

Maybe your agent was not properly configured; test your connection; if there is no connection then what is the next step?


Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

IDS is not installed or enabled.

How IDS not be installed or enabled if it is a part of the agent installation?

Malware Protection is not installed or configured.

Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

Armor has not received a log from the filebeat service in the past 4 hours.

Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.


https://kb.firehost.co/display/AA/General+PDR+Score+Troubleshooting




THE RULES

Check DescriptionOutput / Result in AMP if TriggeredRemediation message
If latest CORE heartbeat is > 4 hours oldThe CORE Agent has not sent a heartbeat in the past 4 hours.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If CORE Agent is not running latest versionThe CORE Agent is not running the latest available version.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If latest Trend heartbeat is > 4 hours oldMalware Protection has not provided a heartbeat in the past 4 hours.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Anti-Malware is "On, matching module plug-in not found"Malware Protection is not installed or configured.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Anti-Malware is not "On"Malware Protection is not installed or configured.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Anti-Malware status is "Computer reboot required"Reboot is required for Malware Protection.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If latest Trend heartbeat is > 4 hours oldFIM has not provided a heartbeat in the past 4 hours.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If FIM is not "On, Realtime", or "On" with > 0 rulesFIM is installed but has not been configured.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If FIM is "On, matching module plug-in not found"FIM is installed but has not been configured.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If FIM is not "On"FIM is not installed.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Filebeat is not running the latest versionThe filebeat logging agent is not running the latest available version.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Filebeat agent is not installedThe filebeat logging agent is not installed.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Winlogbeat is not running the latest versionThe winlogbeat logging agent is not running the latest available version.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Winlogbeat agent is not installedThe winlogbeat logging agent is not installed.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If last received log for that COREID is > 4 hours oldArmor has not received a log in the past 4 hours.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Panopta is not InstalledThe Monitoring agent is not installed.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If Panopta is not running the latest version

If Bomgar is not InstalledThe Remote Support agent is not installed.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.






If latest Trend heartbeat is > 4 hours oldIDS has not provided a heartbeat in the past 4 hours.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IDS is not "On" and has > 0 rulesIDS is installed but has not been configured.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IDS is not "On"IDS is not installed or enabled.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IR Agent is not installedThe Vulnerability Scanning agent is not installed.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
If IR Agent did not scan in previous scan periodThe Vulnerability Scanning agent did not run during the most recent scan.While Armor is responsible for troubleshooting this issue, you must first open a support ticket.
Optional Services












Armor serviceProtection screen messageService remediationStep 1Step 2Step 3Step 4
Malware ProtectionIf latest Trend heartbeat is > 4 hours old
  1. Make sure Trend is on
  2. Check Connectivity
  3. Manaully heartbeat the Trend agent
  4. Open a support ticket

Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API
  • 4120/tcp, Trend DSM Heartbeat
  • 4122/tcp, Trend Relay

For Windows, run:

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
For Linux, run


Code Block
/opt/ds_agent/dsa_control -m



If Anti-Malware is "On, matching module plug-in not found"
  1. Make sure Trend is installed
  2. Check connectivity
  3. Manually heartbeat the Trend agent
  4. Check Trend component info
  5. Open a support ticket

Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API
  • 4120/tcp, Trend DSM Heartbeat
  • 4122/tcp, Trend Relay




If Anti-Malware is not "On"
  1. Make sure Trend is installed
  2. Check connectivity
  3. Manually heartbeat the Trend agent
  4. Check Trend component info
  5. Open a support ticket

Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API
  • 4120/tcp, Trend DSM Heartbeat
  • 4122/tcp, Trend Relay




If Anti-Malware status is "Computer reboot required"
  1. Reboot your server













FIMHB
  1. Make sure Trend is on
  2. Check Connectivity
  3. Manaully heartbeat the Trend agent
  4. Open a support ticket






On with rules






Module not found
  1. Make sure Trend is installed
  2. Check connectivity
  3. Manually heartbeat the Trend agent
  4. Check Trend component info
  5. Open a support ticket






Not on"FIM is not installed"












IDSHB
  1. Make sure Trend is on
  2. Check connectivity
  3. Manually heartbeat the agent
  4. Do we have a good policy?






Configured with rules






Installed













LoggingFilebeat agent is not running the latest versionNothing - uninstall





Filebeat agent not installed1. 




































R7 (vulnerability scanning)Installed (VS agent is not installed)
  1. Check for installation
  2. Add VS scanning







scan results in import (VS agent did not during the most recent scan)
  1. Check to see if service is running
  2. Check connectivity
  3. Open a support ticket






Logging and r7:

  1. are they installed and running
  2. connecitivty check
  3. open a ticket

Was this helpful?