You can use the information below to troubleshoot the issues displayed in the Protection screen.
...
Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.
...
Armor Service | Issue | Remediation |
---|
Logging | The filebeat logging agent is not installed. |
Expand |
---|
title | Step 1: Verify the status of filebeat |
---|
|
| Description | Command | Extra information |
---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0 -windows -x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0 -windows -x86_64\filebeat.yml
| - Windows uses both winlogbeat and filebeat.
- Commands should run in Powershell.
To review additional configurations, certificates, and service information, review a server's directory: - C:\.armor\opt\winlogbeat*
- C:\.armor\opt\filebeat*
|
---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname winlogbeat,filebeat |
|
---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat |
|
---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts |
|
---|
|
|
|
|
---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/ *.yml |
|
---|
| Verify the operation of the filebeat service | ps aux | grep filebeat |
|
---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat .yml |
|
---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat .yml |
|
---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat .yml |
|
---|
|
Expand |
---|
title | Step 2: Send a support ticket |
---|
| Insert excerpt |
---|
| ESLP:Create a support ticket (snippet) |
---|
| ESLP:Create a support ticket (snippet) |
---|
nopanel | true |
---|
|
|
|
Logging | The winlogbeat logging agent is not installed. Note |
---|
This section only applies to Windows users. |
|
Expand |
---|
title | Step 1: Verify the status of winlogbeat |
---|
|
Description | Command | Extra information |
---|
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0 -windows -x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0 -windows -x86_64\filebeat.yml
| - Windows uses both winlogbeat and filebeat.
- Commands should run in Powershell.
To review additional configurations, certificates, and service information, review a server's directory: - C:\.armor\opt\winlogbeat*
- C:\.armor\opt\filebeat*
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname winlogbeat,filebeat |
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat |
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts |
|
|
|
Logging | Armor has not received a log in the past 4 hours. |
Expand |
---|
title | Step 1: Check logging services |
---|
|
| Description | Command | Extra information |
---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0 -windows -x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0 -windows -x86_64\filebeat.yml
| - Windows uses both winlogbeat and filebeat.
- Commands should run in Powershell.
To review additional configurations, certificates, and service information, review a server's directory: - C:\.armor\opt\winlogbeat*
- C:\.armor\opt\filebeat*
|
---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname winlogbeat,filebeat |
|
---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat |
|
---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts |
|
---|
|
|
|
|
---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/ *.yml |
|
---|
| Verify the operation of the filebeat service | ps aux | grep filebeat |
|
---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat .yml |
|
---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat .yml |
|
---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat .yml |
|
---|
|
Expand |
---|
title | Step 2: Check connectivity |
---|
|
Port | Destination |
---|
515/tcp | - 46.88.106.196
- 146.88.144.196
|
|
|
...
Armor Service | Issue | Remediation |
---|
Malware Protection | Malware Protection has not provided a heartbeat in the past 4 hours. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Step 4: Send a support ticket |
---|
| Insert excerpt |
---|
| ESLP:Create a support ticket (snippet) |
---|
| ESLP:Create a support ticket (snippet) |
---|
nopanel | true |
---|
|
|
|
Malware Protection | Malware Protection is not installed or configured. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Step 4: Check the components for the agent |
---|
|
Windows |
Code Block |
---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM |
|
---|
Linux |
Code Block |
---|
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM |
|
---|
Note |
---|
Component.AM.mode describes if the Malware Protection module is installed. Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager. |
|
|
Malware Protection | Reboot is required for Malware Protection. |
Expand |
---|
title | Step 1: Reboot your server |
---|
| Step 1: Reboot your server |
|
...
Armor Service | Issue | Remediation |
---|
File Integrity Monitoring (FIM) | FIM has not provided a heartbeat in the past 4 hours. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
|
File Integrity Monitoring (FIM) | FIM is installed but has not been configured. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Step 4: Check the components for the agent |
---|
|
Windows |
Code Block |
---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM |
|
---|
Linux |
Code Block |
---|
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM |
|
---|
Note |
---|
Component.IM.mode describes if the FIM module is installed. Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager. |
|
|
File Integrity Monitoring (FIM) | FIM is not installed. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
|
...
Armor Service | Issue | Remediation |
---|
IDS | IDS has not provided a heartbeat in the past 4 hours. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Excerpt |
---|
|
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
Windows |
Code Block |
---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap |
|
---|
Linux |
Code Block |
---|
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap |
|
---|
|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
|
IDS | IDS is installed but has not been configured. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
|
IDS | IDS is not installed or enabled. |
Expand |
---|
title | Step 1: Verify the status of the agent |
---|
|
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps -axu | grep ds_agent |
---|
|
Expand |
---|
title | Step 2: Check the connectivity of the agent |
---|
|
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
|
Expand |
---|
title | Step 3: Manually heartbeat the agent |
---|
|
Windows |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
|
Vulnerability Scanning
...
To remediate Vulnerability Scanning issues, please refer to thisĀ documentation.
Topics Discussed