Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Topics Discussed

Table of Contents
minLevel1
maxLevel3
outlinefalse
typelist
printablefalse

In the Protection screen, the Protection score focuses on the stability of Armor services to determine if

  • The agent is responding (hearbeating) to Armor

  • The agent has registered properly


For Armor Anywhere, the Protection scores focuses on the following services:

  • Malware Protection

  • FIM

  • IDS

  • Filebeat (for Windows and Linux)

  • Winlogbeat (for Windows)

  • Vulnerability Scanning


Review Widgets and Graph

...

Widget and Graph Type

Description

Protection Score

This widget displays a calculated score that includes the number of subagents in an unhealthy state.

Score range

Health status

10 - 8

Good

7 - 4Fair
3 - 1Poor
Image Added
Note
  • For Armor's private cloud, only virtual machines that are in a Powered On state are included.

  • For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included.


Info

Scores in the security dashboards are calculated and updated every night at 2:00 AM UTC.


Assets Protected

This widget displays the number of virtual machines that contain the Armor agent.

Note

Newly created virtual machines will not be reflected in the number of Assets Protected until the following day.


Healthy Services

This widget displays the percentage of agents and subagents that are working properly.

Protection Score Trend

This graph displays the history of your protection scores.

Understand Service Health

...


To view this section, you must have the Read Virtual Machines(s) permission assigned to your account.

or

Column

Description

Asset Name

This column displays the name of the virtual machine.

You can click the name of the virtual machine to access the Virtual Machine details screen.

Status

This column displays the security status of the virtual machine.

  • Unprotected indicates the agent is not installed in the instance.

    • Instances without an agent will be labeled as Unprotected. All instances from the public cloud account will be displayed.

  • Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor.

  • OK indicates that the agent is installed and has communicated (hearbeated) with Armor.

Location

For Armor's private cloud, this column will display name of the Armor virtual site.

F

For Armor Anywhere, this column will display the name of the public cloud provider.

Ticket

This column displays the support ticket that troubleshoots the Protection issue.
A Protection issue will automatically generate a support ticket.


Health Rules

...

Health Rules calculates the status of several managed services provided or orchestrated by Armor. The status of these checks roll into AMP's Protection and help guide our support and remediation efforts.

The health rules are grouped under each Rule Family.

Types of Rule Family

  1. Armor Agent

  2. File Logging

  3. FIM

  4. IDS

  5. Log Collector

  6. Malware Protection

  7. OS Monitoring

  8. Vulnerability Scanning

  9. Windows Event Logging

Rule Family

Rule

Description

Service

Frequency

Armor Agent

HasRecentHeartbeat

If latest CORE heartbeat is > 4 hours

Armor Agent

Hourly

Armor Agent

HasCorrectVersion

If CORE Agent is not running latest version

Armor Agent

Hourly

File Logging

HasCorrectVersion

If Filebeat is not running the latest version

Filebeat

Hourly

File Logging

HasRecentLogs

If last received log for that CoreinstanceId is > 4 hours from ELK

Filebeat

Hourly

File Logging

IsInstalled

If Filebeat agent is not installed

Filebeat

Hourly

Window Event Logging

HasCorrectVersion

If Winlogbeat is not running the latest version

Winlogbeat

Hourly

Window Event Logging

HasRecentLogs

if last received log for that CoreinstanceId is > 4 hours from ELK

Winlogbeat

Hourly

Window Event Logging

IsInstalled

If Winlogbeat agent is not installed

Winlogbeat

Hourly

FIM

HasRecentHeartbeat

If latest Trend heartbeat is > 4 hours

Trend

Hourly

FIM

IsPluginPresent

If FIM is "On, matching module plug-in not found"

Example : FIM On but Module Not Found

Trend

Hourly

FIM

IsRealtimeOrHasRules

If FIM is not "On, Realtime", or "On" with > 0 rules (

Example: FIM On but No Policy

Trend

Hourly

FIM

ModuleIsOn

If FIM is not "On"

Trend

Hourly

IDS

HasRecentHeartbeat

if latest Trend heartbeat is > 4 hours

Trend

Hourly

IDS

HasRules

If IDS is "On" and has > 0 rules

Example: IDS installed but no rules

Trend

Hourly

IDS

IsOnTapMode

If IDS is "On" and has tap mode on

Trend

Hourly

IDS

ModuleIsOn

If IDS is not "On"

Trend

Hourly

Malware Protection

HasAgentFailed

if Anti-Malware update failed

Trend

Hourly

Malware Protection

HasRecentHeartbeat

If latest Trend heartbeat is > 4 hours old

Trend

Hourly

Malware Protection

IsRebootRequired

if Anti-Malware status is "Computer reboot required"

Trend

Hourly

Malware Protection

ModuleIsOn

If Anti-Malware is not "On"

Trend

Hourly

Malware Protection

ModuleOnPluginNotFound

If Anti-Malware is "On, matching module plug-in not found"

Trend

Hourly

OS Monitoring

HasCorrectVersion

If Panopta is not running the latest version

Panopta

Hourly

OS Monitoring

IsInstalled

If Panopta is not Installed

Panopta

Hourly

Vulnerability Scanning

InMostRecentScan

If IR Agent did not scan in previous scan period

IR Agent

10 PM UTC once in Sunday

Vulnerability Scanning

IsInstalled

If IR Agent is not installed

IR Agent

10 PM UTC once in Sunday

Log Collector

HasDelayedLogs

if Events from this Log Collector are averaging longer than 1 hour to be received

Logstash

Hourly

Log Collector

HasRecentLogs

if events from this Log Collector have been received > 80%

Logstash

Hourly


Improve your Protection Score

...

You can use the information below to troubleshoot the issues displayed in the Protection screen.

Armor recommends that you troubleshoot these issues to:

  • Improve your Protection scores

  • Improve your overall health scores

  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.

...

Expand
titleIssue: The filebeat logging agent is not installed.



Description

Command

Extra information

Windows

Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.

  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*

      • C:\.armor\opt\filebeat*


To verify the operation of the logging services, look for winlogbeat, filebeat

gsv -displayname armor-winlogbeat,armor-filebeat



To verify the operation of the logging service processes, look for winlogbeat

gps filebeat,winlogbeat



Confirm the configured log endpoint

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts






Linux

Configurations are stored within /etc/filebeat/filebeat.yml

cat /etc/filebeat/*.yml



Verify the operation of the filebeat service

ps aux | grep filebeat



Confirm the configured log endpoint

grep -i hosts /etc/filebeat/filebeat.yml



Confirm the external_id

grep -i external_id /etc/filebeat/filebeat.yml



Confirm the tenant ID

grep -i tenant_id /etc/filebeat/filebeat.yml




Expand
titleIssue: The winlogbeat logging agent is not installed.

Step 1: Verify the status of filebeat

Note

This section only applies to Windows users.


Description

Command

Extra Information

Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.

  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*

      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeat

gsv -displayname armor-winlogbeat,armor-filebeat


To verify the operation of the logging service processes, look for winlogbeat

gps filebeat,winlogbeat


Confirm the configured log endpoint

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts



Expand
titleIssue: Armor has not received a log in the past 4 hours.

Step 1: Check Logging Services


Description

Command

Extra information

Windows

Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.

  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*

      • C:\.armor\opt\filebeat*


To verify the operation of the logging services, look for winlogbeat, filebeat

gsv -displayname armor-winlogbeat,armor-filebeat



To verify the operation of the logging service processes, look for winlogbeat

gps filebeat,winlogbeat



Confirm the configured log endpoint

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts






Linux

Configurations are stored within /etc/filebeat/filebeat.yml

cat /etc/filebeat/*.yml



Verify the operation of the filebeat service

ps aux | grep filebeat



Confirm the configured log endpoint

grep -i hosts /etc/filebeat/filebeat.yml



Confirm the external_id

grep -i external_id /etc/filebeat/filebeat.yml



Confirm the tenant ID

grep -i tenant_id /etc/filebeat/filebeat.yml



Step 2: Check Connectivity

Port

Destination

515/tcp




Malware Protection

Expand
titleIssue: Malware Protection has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent


Description

Command

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
Midnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
themeMidnight
/opt/ds_agent/dsa_control -m




Expand
titleIssue: Malware Protection is not installed or configured

Step 1: Verify the status of the agent


Description

Command

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent

Windows

Verify that the service is running

gsv

-displayname

*trend*


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
Midnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
theme
Midnight
/opt/ds_agent/dsa_control -m



Step 4: Check the components for the agent

Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM


Linux


Code Block
themeMidnight
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM



Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager.


...

Midnight
Expand
titleIssue: FIM has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent


Description

Command

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
themeMidnight
/opt/ds_agent/dsa_control -m





Midnight
Expand
titleIssue: FIM is installed but has not been configured

Step 1: Verify the status of the agent

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
theme
Midnight
/opt/ds_agent/dsa_control -m



Step 4: Check the components for the agent

Windows


Code Block
themeMidnight
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM


Linux


Code Block
themeMidnight
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM



Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager.


...

Midnight
Expand
titleIssue: FIM is not installed

Step 1: Verify the status of the agent


Description

Command

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
themeMidnight
/opt/ds_agent/dsa_control -m




Intrusion Detection System (IDS)

Midnight
Expand
titleIssue: IDS has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent


Description

Command

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
themeMidnight
/opt/ds_agent/dsa_control -m




Expand
titleIssue: IDS is installed but has not been configured

Step 1: Verify the status of the agent


Description

Command

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

Windows

Verify a 200 response


Code Block
theme
Midnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux

Verify a 200 response


Code Block
theme
Midnight
/opt/ds_agent/dsa_control -m




Expand
titleIssue: IDS is not installed or enabled

Step 1: Verify the status of the agent


Description

Command

Windows

Verify that the service is running

gsv

-displayname

*trend*

Linux

Verify that the service is running

ps_axu

|

grep

ds_agent


Step 2: Check the connectivity of the agent


Description

Command

Windows

Verify the URL endpoint epsec.armor.com

&

"C:\Program

Files\Trend

Micro\Deep

Security

Agent\dsa_query.cmd"

-c

GetAgentStatus

|

sls

-pattern

url


Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




Linux

Verify the URL endpoint epsec.armor.com

/opt/ds_agent/dsa_query

-c

GetAgentStatus

|

grep

AgentStatus.dsmUrl


Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent

Windows


Code Block
theme
Midnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux


Code Block
themeMidnight
/opt/ds_agent/dsa_control -m




Vulnerability Scanning

To remediate Vulnerability Scanning issues, please refer to this documentation.

...


Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Protection.

  3. (Optional) Use the search bar to customize the data displayed.

  4. Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).

    Column

    Description

    Asset NameThis column display the name of the virtual machine (or instance).
    LocationThis column displays the data center location for for the virtual machine (or instance).
    Service

    For Armor's private cloud, the Protection scores focuses on the following services:

    • Malware Protection
    • FIM
    • Filebeat (for Linux)
    • Winlogbeat (for Windows)

    For Armor Anywhere, the Protection scores focuses on the following services:

    • Malware Protection
    • FIM
    • IDS
    • Filebeat (for Linux)
    • Winlogbeat (for Windows)
    • Vulnerability Scanning
    StatusThis column displays the security status of the virtual machine (or instance), which can be:
    • Warning
    • Needs Attention
    • OK
    MessageThis column displays a brief message to explain the reason for theWarningorNeeds Attentionstatus.

...

Topics Discussed

...