Versions Compared

Old Version 136

changes.mady.by.user Emad Abualjazer

Saved on

compared with

New Version 137

changes.mady.by.user Emad Abualjazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

Table of Contents

...

maxLevel3

...

minLevel3
outlinefalse
typelist
printablefalse

You can use the information below to troubleshoot the issues displayed in the Protection screen.

...

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.

Logging

...

Armor Service

Issue

Remediation

Logging

The filebeat logging agent is not installed.


Expand
titleStep 1: Verify the status of filebeat



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Expand
titleStep 2: Send a support ticket

Insert excerpt
ESLP:Create a support ticket (snippet)
ESLP:Create a support ticket (snippet)
nopaneltrue


Logging

The winlogbeat logging agent is not installed.

Note

This section only applies to Windows users.



Expand
titleStep 1: Verify the status of winlogbeat


DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts



Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Logging

Armor has not received a log in the past 4 hours.


Expand
titleStep 1: Check logging services



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Expand
titleStep 2: Check connectivity


PortDestination
515/tcp




Malware Protection

...

Armor Service

Issue

Remediation

Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Send a support ticket

Insert excerpt
ESLP:Create a support ticket (snippet)
ESLP:Create a support ticket (snippet)
nopaneltrue


Malware Protection

Malware Protection is not installed or configured.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m





Expand
titleStep 4: Check the components for the agent


Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM


Linux


Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM



Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager.



Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Malware Protection

Reboot is required for Malware Protection.


Expand
titleStep 1: Reboot your server

Step 1: Reboot your server


Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

...

Armor Service

Issue

Remediation

File Integrity Monitoring (FIM)

FIM has not provided a heartbeat in the past 4 hours.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m





Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

FIM is installed but has not been configured.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Check the components for the agent


Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM


Linux


Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM



Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager.



Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

FIM is not installed.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m





Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Intrusion Detection System

...

Armor Service

Issue

Remediation

IDS

IDS has not provided a heartbeat in the past 4 hours.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Excerpt
hiddentrue


Expand
titleStep 1: Verify the status of the agent


Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
 
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap


Linux


Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap






Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


IDS

IDS is installed but has not been configured.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent



DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


IDS

IDS is not installed or enabled.


Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


Windows


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Vulnerability Scanning

...

To remediate Vulnerability Scanning issues, please refer to thisĀ documentation.