Topics Discussed
Table of Contents |
---|
minLevel | 1 |
---|
maxLevel | 3 |
---|
outline | false |
---|
type | list |
---|
printable | false |
---|
|
In the Protection screen, the Protection score focuses on the stability of Armor services to determine if
The agent is responding (hearbeating) to Armor
The agent has registered properly
For Armor Anywhere, the Protection scores focuses on the following services:
Malware Protection
FIM
IDS
Filebeat (for Windows and Linux)
Winlogbeat (for Windows)
Vulnerability Scanning
Review Widgets and Graph
...
Widget and Graph Type | Description |
---|
Protection Score | This widget displays a calculated score that includes the number of subagents in an unhealthy state. Image Added Note |
---|
For Armor Enterprise Cloud, only virtual machines that are in a Powered On state are included. For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included.
|
Info |
---|
Scores in the security dashboards are calculated and updated every night at 2:00 AM UTC. |
|
Assets Protected | This widget displays the number of virtual machines that contain the Armor agent. Note |
---|
Newly created virtual machines will not be reflected in the number of Assets Protected until the following day. |
|
Healthy Services | This widget displays the percentage of agents and subagents that are working properly. |
Protection Score Trend | This graph displays the history of your protection scores. |
Understand Service Health
...
The Service Health section displays the virtual machines that contain the installed Armor agent.
Note |
---|
Newly created virtual machines will not be reflected in the Service Health table until the following day. |
To view this section, you must have the Read Virtual Machines(s) permission assigned to your account.
Column | Description |
---|
Asset Name | This column displays the name of the virtual machine. You can click the name of the virtual machine to access the Virtual Machine details screen. |
Status | This column displays the security status of the virtual machine. Unprotected indicates the agent is not installed in the instance. Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor. OK indicates that the agent is installed and has communicated (hearbeated) with Armor.
|
Location | For Armor Enterprise Cloud, this column will display name of the Armor virtual site. For Armor Anywhere, this column will display the name of the public cloud provider. |
Ticket | This column displays the support ticket that troubleshoots the Protection issue. A Protection issue will automatically generate a support ticket. |
Health Rules
...
Health Rules calculates the status of several managed services provided or orchestrated by Armor. The status of these checks roll into AMP's Protection and help guide our support and remediation efforts.
The health rules are grouped under each Rule Family.
Types of Rule Family
Armor Agent
File Logging
FIM
IDS
Log Collector
Malware Protection
OS Monitoring
Vulnerability Scanning
Windows Event Logging
Rule Family | Rule | Description | Service | Frequency |
---|
Armor Agent | HasRecentHeartbeat | If latest CORE heartbeat is > 4 hours | Armor Agent | Hourly |
Armor Agent | HasCorrectVersion | If CORE Agent is not running latest version | Armor Agent | Hourly |
File Logging | HasCorrectVersion | If Filebeat is not running the latest version | Filebeat | Hourly |
File Logging | HasRecentLogs | If last received log for that CoreinstanceId is > 4 hours from ELK | Filebeat | Hourly |
File Logging | IsInstalled | If Filebeat agent is not installed | Filebeat | Hourly |
Window Event Logging | HasCorrectVersion | If Winlogbeat is not running the latest version | Winlogbeat | Hourly |
Window Event Logging | HasRecentLogs | if last received log for that CoreinstanceId is > 4 hours from ELK | Winlogbeat | Hourly |
Window Event Logging | IsInstalled | If Winlogbeat agent is not installed | Winlogbeat | Hourly |
FIM | HasRecentHeartbeat | If latest Trend heartbeat is > 4 hours | Trend | Hourly |
FIM | IsPluginPresent | If FIM is "On, matching module plug-in not found" Example : FIM On but Module Not Found | Trend | Hourly |
FIM | IsRealtimeOrHasRules | If FIM is not "On, Realtime", or "On" with > 0 rules ( Example: FIM On but No Policy | Trend | Hourly |
FIM | ModuleIsOn | If FIM is not "On" | Trend | Hourly |
IDS | HasRecentHeartbeat | if latest Trend heartbeat is > 4 hours | Trend | Hourly |
IDS | HasRules | If IDS is "On" and has > 0 rules Example: IDS installed but no rules | Trend | Hourly |
IDS | IsOnTapMode | If IDS is "On" and has tap mode on | Trend | Hourly |
IDS | ModuleIsOn | If IDS is not "On" | Trend | Hourly |
Malware Protection | HasAgentFailed | if Anti-Malware update failed | Trend | Hourly |
Malware Protection | HasRecentHeartbeat | If latest Trend heartbeat is > 4 hours old | Trend | Hourly |
Malware Protection | IsRebootRequired | if Anti-Malware status is "Computer reboot required" | Trend | Hourly |
Malware Protection | ModuleIsOn | If Anti-Malware is not "On" | Trend | Hourly |
Malware Protection | ModuleOnPluginNotFound | If Anti-Malware is "On, matching module plug-in not found" | Trend | Hourly |
OS Monitoring | HasCorrectVersion | If Panopta is not running the latest version | Panopta | Hourly |
OS Monitoring | IsInstalled | If Panopta is not Installed | Panopta | Hourly |
Vulnerability Scanning | InMostRecentScan | If IR Agent did not scan in previous scan period | IR Agent | 10 PM UTC once in Sunday |
Vulnerability Scanning | IsInstalled | If IR Agent is not installed | IR Agent | 10 PM UTC once in Sunday |
Log Collector | HasDelayedLogs | if Events from this Log Collector are averaging longer than 1 hour to be received | Logstash | Hourly |
Log Collector | HasRecentLogs | if events from this Log Collector have been received > 80% | Logstash | Hourly |
Improve your Protection Score
...
You can use the information below to troubleshoot the issues displayed in the Protection screen.
Armor recommends that you troubleshoot these issues to:
Improve your Protection scores
Improve your overall health scores
Increase the overall security of your environment
Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.
Note |
---|
To learn how to send a support ticket, see Armor Support. |
Logging
Expand |
---|
title | Issue: The filebeat logging agent is not installed. |
---|
|
| Description | Command | Extra information |
---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
| Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory:
|
---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname armor-winlogbeat,armor-filebeat
|
|
---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat
|
|
---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
|
|
---|
|
|
|
|
---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/*.yml
|
|
---|
| Verify the operation of the filebeat service | ps aux | grep filebeat
|
|
---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat.yml
|
|
---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat.yml
|
|
---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat.yml
|
|
---|
|
Expand |
---|
title | Issue: The winlogbeat logging agent is not installed. |
---|
|
Step 1: Verify the status of filebeat Note |
---|
This section only applies to Windows users. |
Description | Command | Extra Information |
---|
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
| Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory:
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname armor-winlogbeat,armor-filebeat
|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat
|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
| |
|
Expand |
---|
title | Issue: Armor has not received a log in the past 4 hours. |
---|
|
Step 1: Check Logging Services
| Description | Command | Extra information |
---|
Windows | Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\ | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
| Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory:
|
---|
| To verify the operation of the logging services, look for winlogbeat, filebeat | gsv -displayname armor-winlogbeat,armor-filebeat
|
|
---|
| To verify the operation of the logging service processes, look for winlogbeat | gps filebeat,winlogbeat
|
|
---|
| Confirm the configured log endpoint | cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
|
|
---|
|
|
|
|
---|
Linux | Configurations are stored within /etc/filebeat/filebeat.yml | cat /etc/filebeat/*.yml
|
|
---|
| Verify the operation of the filebeat service | ps aux | grep filebeat
|
|
---|
| Confirm the configured log endpoint | grep -i hosts /etc/filebeat/filebeat.yml
|
|
---|
| Confirm the external_id | grep -i external_id /etc/filebeat/filebeat.yml
|
|
---|
| Confirm the tenant ID | grep -i tenant_id /etc/filebeat/filebeat.yml
|
|
---|
Step 2: Check Connectivity Port | Destination |
---|
515/tcp | 46.88.106.196 146.88.144.196
|
|
Malware Protection
Expand |
---|
title | Issue: Malware Protection has not provided a heartbeat in the past 4 hours |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Issue: Malware Protection is not installed or configured |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
Step 4: Check the components for the agent Windows |
Code Block |
---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM |
|
---|
Linux |
Code Block |
---|
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM |
|
---|
Note |
---|
Component.AM.mode describes if the Malware Protection module is installed. Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager. |
|
Expand |
---|
title | Issue: Reboot is required for Malware Protection |
---|
|
Step 1: Reboot your server |
File Integrity Monitoring (FIM)
Expand |
---|
title | Issue: FIM has not provided a heartbeat in the past 4 hours |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Issue: FIM is installed but has not been configured |
---|
|
Step 1: Verify the status of the agent Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
Step 4: Check the components for the agent Windows |
Code Block |
---|
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM |
|
---|
Linux |
Code Block |
---|
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM |
|
---|
Note |
---|
Component.IM.mode describes if the FIM module is installed. Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager. |
|
Expand |
---|
title | Issue: FIM is not installed |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Intrusion Detection System (IDS)
Expand |
---|
title | Issue: IDS has not provided a heartbeat in the past 4 hours |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Issue: IDS is installed but has not been configured |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux | Verify a 200 response |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Expand |
---|
title | Issue: IDS is not installed or enabled |
---|
|
Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88.106.210 443
|
---|
Step 3: Manually heartbeat the agent Windows |
Code Block |
---|
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds. |
|
---|
Linux |
Code Block |
---|
/opt/ds_agent/dsa_control -m |
|
---|
|
Vulnerability Scanning
To remediate Vulnerability Scanning issues, please refer to this documentation.
Anchor |
---|
| Export Protection screen data |
---|
| Export Protection screen data |
---|
|
Export Protection Screen Data...
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Protection.
(Optional) Use the search bar to customize the data displayed.
Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).
Column | Description |
---|
Column | Description |
Asset Name | This column display the name of the virtual machine (or instance). |
Location | This column displays the data center location for for the virtual machine (or instance). |
Service | For Armor Enterprise Cloud, the Protection scores focuses on the following services: |
Malware Protection |
FIM |
Filebeat (for Linux) |
Winlogbeat (for Windows) |
|
For Armor Anywhere, the Protection scores focuses on the following services: |
|
Malware Protection |
FIM |
IDS |
Filebeat (for Linux) |
Winlogbeat (for Windows) |
Vulnerability Scanning |
Status | This column displays the security status of the virtual machine (or instance), which can be: |
Warning |
Needs Attention |
OK |
Message | This column displays a brief message to explain the reason for the Warning or Needs Attention status. |