Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

At a high-level, you can use this document to learn how to improve your health scores, which will improve the overall security status of your environment.

...


Review Your Overall Health Score

  1. In the Armor Management Portal (AMP), in the landing page, review your Overall Health Score.

    • This score is based on the average of the Protection, Detection, and Response scores.

  2. Review your Score Trends graph.

    • If you see a downward trend for any of the score types, consider any recent changes you have made in your environment, such as:

      • Network or firewall changes

      • Upgrades or migrations

      • Application changes

      • Resource upgrades or downgrades on your server instances

      • OS or kernel patches


Review Your Protection Score

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Protection.

  2. Under the Service Health table, click Needs Attention.

    • This action will display specific issues for your virtual machine that you can resolve to improve your score.


Review Your Detection score

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Detection.

  2. Under the Top Vulnerabilities table, click a specific vulnerability type.

    • This action will take you the Vulnerability Scanning details screen where you can view a description of the vulnerability and the affected virtual machine.


Review Your Response Score

The Response score is based on how long Armor or you (or someone on your account) take to respond to a SecurityIncident. As a result, to improve your score, be sure to promptly reply to a support ticket from Armor.

Note

You can update your notification settings so that you are notified about a support ticket via email.

To learn more, see Configure notification preferences.

...

To learn how to specifically improve the health scores of your environment, you can always send a support ticket.

Note

To learn how to send a support ticket, see Armor Support.

Info

Additionally, to learn more about how scores are calculated in the different dashboards, see:

Excerpt
hiddentrue

Malware - Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.


FIM - Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.


Some common issues are:

Issue

Remediation

Armor has not received a log from the filebeat service in the past 4 hours.


FIM has not provided a heartbeat in the past 4 hours.


IDS has not provided a heartbeat in the past 4 hours.


Malware Protection has not provided a heartbeat in the past 4 hours.

Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

FIM is not installed.

How can FIM not be installed if you installed the agent?

Maybe your agent was not properly configured; test your connection; if there is no connection then what is the next step?


Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

IDS is not installed or enabled.

How IDS not be installed or enabled if it is a part of the agent installation?

Malware Protection is not installed or configured.

Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

Armor has not received a log from the filebeat service in the past 4 hours.

Armor troubleshoots servers that contain File Integrity Monitoring subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.


https://kb.firehost.co/display/AA/General+PDR+Score+Troubleshooting




THE RULES

Check Description

Output / Result in AMP if Triggered

Remediation message

If latest CORE heartbeat is > 4 hours old

The CORE Agent has not sent a heartbeat in the past 4 hours.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If CORE Agent is not running latest version

The CORE Agent is not running the latest available version.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If latest Trend heartbeat is > 4 hours old

Malware Protection has not provided a heartbeat in the past 4 hours.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Anti-Malware is "On, matching module plug-in not found"

Malware Protection is not installed or configured.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Anti-Malware is not "On"

Malware Protection is not installed or configured.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Anti-Malware status is "Computer reboot required"

Reboot is required for Malware Protection.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If latest Trend heartbeat is > 4 hours old

FIM has not provided a heartbeat in the past 4 hours.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If FIM is not "On, Realtime", or "On" with > 0 rules

FIM is installed but has not been configured.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If FIM is "On, matching module plug-in not found"

FIM is installed but has not been configured.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If FIM is not "On"

FIM is not installed.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Filebeat is not running the latest version

The filebeat logging agent is not running the latest available version.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Filebeat agent is not installed

The filebeat logging agent is not installed.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Winlogbeat is not running the latest version

The winlogbeat logging agent is not running the latest available version.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Winlogbeat agent is not installed

The winlogbeat logging agent is not installed.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If last received log for that COREID is > 4 hours old

Armor has not received a log in the past 4 hours.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Panopta is not Installed

The Monitoring agent is not installed.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If Panopta is not running the latest version



If Bomgar is not Installed

The Remote Support agent is not installed.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.







If latest Trend heartbeat is > 4 hours old

IDS has not provided a heartbeat in the past 4 hours.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If IDS is not "On" and has > 0 rules

IDS is installed but has not been configured.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If IDS is not "On"

IDS is not installed or enabled.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If IR Agent is not installed

The Vulnerability Scanning agent is not installed.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

If IR Agent did not scan in previous scan period

The Vulnerability Scanning agent did not run during the most recent scan.

While Armor is responsible for troubleshooting this issue, you must first open a support ticket.

Optional Services














Armor service

Protection screen message

Service remediation

Step 1

Step 2

Step 3

Step 4


Malware Protection

If latest Trend heartbeat is > 4 hours old

  1. Make sure Trend is on

  2. Check Connectivity

  3. Manaully heartbeat the Trend agent

  4. Open a support ticket


Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API

  • 4120/tcp, Trend DSM Heartbeat

  • 4122/tcp, Trend Relay

For Windows, run:

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

For Linux, run


Code Block
/opt/ds_agent/dsa_control -m




If Anti-Malware is "On, matching module plug-in not found"

  1. Make sure Trend is installed

  2. Check connectivity

  3. Manually heartbeat the Trend agent

  4. Check Trend component info

  5. Open a support ticket


Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API

  • 4120/tcp, Trend DSM Heartbeat

  • 4122/tcp, Trend Relay





If Anti-Malware is not "On"

  1. Make sure Trend is installed

  2. Check connectivity

  3. Manually heartbeat the Trend agent

  4. Check Trend component info

  5. Open a support ticket


Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API

  • 4120/tcp, Trend DSM Heartbeat

  • 4122/tcp, Trend Relay





If Anti-Malware status is "Computer reboot required"

  1. Reboot your server














FIM

HB

  1. Make sure Trend is on

  2. Check Connectivity

  3. Manaully heartbeat the Trend agent

  4. Open a support ticket







On with rules








Module not found

  1. Make sure Trend is installed

  2. Check connectivity

  3. Manually heartbeat the Trend agent

  4. Check Trend component info

  5. Open a support ticket







Not on

"FIM is not installed"














IDS

HB

  1. Make sure Trend is on

  2. Check connectivity

  3. Manually heartbeat the agent

  4. Do we have a good policy?







Configured with rules








Installed















Logging

Filebeat agent is not running the latest version

Nothing - uninstall







Filebeat agent not installed

1.






































R7 (vulnerability scanning)

Installed (VS agent is not installed)

  1. Check for installation

  2. Add VS scanning







scan results in import (VS agent did not during the most recent scan)

  1. Check to see if service is running

  2. Check connectivity

  3. Open a support ticket







Logging and r7:

  1. are they installed and running

  2. connecitivty check

  3. open a ticket

...

Table of Contents
maxLevel3
minLevel3