Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

Topics Discussed

Table of Contents
maxLevel3
minLevel3
outlinefalse
typelist
printablefalse

You can use the information below to troubleshoot the issues displayed in the Protection screen.

Armor recommends that you troubleshoot these issues to:

  • Improve your Protection scores

  • Improve your overall Health scores

  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.

Logging

...

ESLP:Create a support ticket (snippet)

Armor Service

Issue

Remediation

Logging

The filebeat logging agent is not installed.


Expand
titleStep 1: Verify the status of filebeat



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Expand
titleStep 2: Send a support ticket

Insert excerpt

ESLP:Create a support ticket (snippet)

Armor Support
Armor Support
nameCreate Support Ticket
nopaneltrue

Logging

The winlogbeat logging agent is not installed.

Note

This section only applies to Windows users.


Expand
titleStep 1: Verify the status of winlogbeat


DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts



Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Logging

Armor has not received a log in the past 4 hours.


Expand
titleStep 1: Check logging services



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Expand
titleStep 2: Check connectivity

PortDestination
515/tcp




Malware Protection

...

ESLP:Create a support ticket (snippet)

Armor Service

Issue

Remediation

Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m




Expand
titleStep 4: Send a support ticket

Insert excerpt

ESLP:Create a support ticket (snippet)

Armor Support
Armor Support
nameCreate Support Ticket
nopaneltrue

Malware Protection

Malware Protection is not installed or configured.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Check the components for the agent

Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM


Linux


Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM



Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager.



Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Malware Protection

Reboot is required for Malware Protection.


Expand
titleStep 1: Reboot your server

Step 1: Reboot your server


Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

...

Armor Service

Issue

Remediation

File Integrity Monitoring (FIM)

FIM has not provided a heartbeat in the past 4 hours.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent


Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

FIM is installed but has not been configured.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Check the components for the agent

Windows


Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM


Linux


Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM


Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager.



Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

FIM is not installed.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent


Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Intrusion Detection System

...

Armor Service

Issue

Remediation

IDS

IDS has not provided a heartbeat in the past 4 hours.

Expand
titleStep 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent

Excerpt
hiddentrue

Expand
titleStep

1

2:

Verify

Check the

status

connectivity of the agent



DescriptionCommand
Windows

code

Verify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c 

GetComponentInfo

GetAgentStatus | sls 

FWDPI Component.FWDPI.dpiRules: 164 Component.FWDPI.driverState: 3 Component.FWDPI.firewallMode: on-tap Component.FWDPI.mode: on-tapLinux
Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Expand
titleStep 2: Check the connectivity of the agent
DescriptionCommandWindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Confirm connection to the URLnew-object System.Net.Sockets.

-pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


IDS

IDS is installed but has not been configured.

Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent

Expand
titleStep 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


LinuxVerify a 200 response


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

IDS

IDS is not installed or enabled.


Expand
titleStep 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Expand
titleStep 3: Manually heartbeat the agent


Windows


Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


Linux


Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Vulnerability Scanning

...

To remediate Vulnerability Scanning issues, please refer to thisĀ documentation.

...

Topics Discussed

Table of ContentsmaxLevel3minLevel3