Page Comparison

Topics Discussed

...

Widget and Graph Type

Description

Protection Score

This widget displays a calculated score that includes the number of subagents in an unhealthy state.

Note
For Armor 's private cloudEnterprise Cloud, only virtual machines that are in a Powered On state are included. For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included.

Info
Scores in the security dashboards are calculated and updated every night at 2:00 AM UTC.

Assets Protected

This widget displays the number of virtual machines that contain the Armor agent.

Note
Newly created virtual machines will not be reflected in the number of Assets Protected until the following day.

Healthy Services

This widget displays the percentage of agents and subagents that are working properly.

Protection Score Trend

This graph displays the history of your protection scores.

...

Column	Description
Asset Name	This column displays the name of the virtual machine. You can click the name of the virtual machine to access the Virtual Machine details screen.
Status	This column displays the security status of the virtual machine. Unprotected indicates the agent is not installed in the instance. Instances without an agent will be labeled as Unprotected. All instances from the public cloud account will be displayed. Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor. To troubleshoot a specific error message under Needs Attention, see Troubleshoot Protection Scores. OK indicates that the agent is installed and has communicated (hearbeated) with Armor.
Location	For Armor 's private cloudEnterprise Cloud, this column will display name of the Armor virtual site. For Armor Anywhere, this column will display the name of the public cloud provider.
Ticket	This column displays the support ticket that troubleshoots the Protection issue. A Protection issue will automatically generate a support ticket.

...

Expand

title	Issue: The filebeat logging agent is not installed.

	Description	Command	Extra information
Windows	Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
	To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
	To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
	Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Linux	Configurations are stored within /etc/filebeat/filebeat.yml	`cat` `/etc/filebeat/*.yml`
	Verify the operation of the filebeat service	`ps` `aux \| grep` `filebeat`
	Confirm the configured log endpoint	`grep` `-i hosts /etc/filebeat/filebeat.yml`
	Confirm the external_id	`grep` `-i external_id /etc/filebeat/filebeat.yml`
	Confirm the tenant ID	`grep` `-i tenant_id /etc/filebeat/filebeat.yml`

Expand

title	Issue: The winlogbeat logging agent is not installed.

Step 1: Verify the status of filebeat

Note
This section only applies to Windows users.

Description	Command	Extra Information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Expand

title	Issue: Armor has not received a log in the past 4 hours.

Step 1: Check Logging Services

	Description	Command	Extra information
Windows	Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml` `cat` `C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml`	Windows uses both winlogbeat and filebeat. Commands should run in Powershell. To review additional configurations, certificates, and service information, review a server's directory: C:\.armor\opt\winlogbeat* C:\.armor\opt\filebeat*
	To verify the operation of the logging services, look for winlogbeat, filebeat	`gsv -displayname armor-winlogbeat,armor-filebeat`
	To verify the operation of the logging service processes, look for winlogbeat	`gps` `filebeat,winlogbeat`
	Confirm the configured log endpoint	`cat` `C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml \| sls hosts`

Linux	Configurations are stored within /etc/filebeat/filebeat.yml	`cat` `/etc/filebeat/*.yml`
	Verify the operation of the filebeat service	`ps` `aux \| grep` `filebeat`
	Confirm the configured log endpoint	`grep` `-i hosts /etc/filebeat/filebeat.yml`
	Confirm the external_id	`grep` `-i external_id /etc/filebeat/filebeat.yml`
	Confirm the tenant ID	`grep` `-i tenant_id /etc/filebeat/filebeat.yml`

Step 2: Check Connectivity

Port	Destination
515/tcp	46.88.106.196 (1a.log.armor.com) 146.88.144.196 (2a.log.armor.com)

Malware Protection

Expand

title	Issue: Malware Protection has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	^{gsv -displayname trend}
Linux	Verify that the service is running	^{ps_axu \| grep ds_agent}

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	^{& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url}
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	^{/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl}
	Confirm connection to the URL	`telnet 146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m HTTP Status: 200 - OK Response: Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block
/opt/ds_agent/dsa_control -m

...

Expand

title	Issue: Malware Protection is not installed or configured

Step 1: Verify the status of the agent

	Description	Command
Linux	Verify that the service is running	^{ps_axu \| grep ds_agent}
Windows	Verify that the service is running	^{gsv -displayname trend}

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	^{& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url}
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	^{/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl}
	Confirm connection to the URL	`telnet 146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m HTTP Status: 200 - OK Response: Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block
/opt/ds_agent/dsa_control -m

Step 4: Check the components for the agent

Windows

Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo \| sls -pattern Component.AM

Linux

Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo \| grep Component.AM

Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rulesis the number of rules derived from the Armor Deep Security Manager.

Expand

title	Issue: Reboot is required for Malware Protection

Step 1: Reboot your server

File Integrity Monitoring (FIM)

...

Expand

title	Issue: FIM is installed but has not been configured

Step 1: Verify the status of the agent

Windows	Verify that the service is running	^{gsv -displayname trend}
Linux	Verify that the service is running	^{ps_axu \| grep ds_agent}

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	^{& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url}
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	^{/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl}
	Confirm connection to the URL	`telnet 146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m HTTP Status: 200 - OK Response: Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block
/opt/ds_agent/dsa_control -m

Step 4: Check the components for the agent

Windows

Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo \| sls -pattern Component.IM

Linux

Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo \| grep Component.IM

Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rulesis the number of rules derived from the Armor Deep Security Manager.

Expand

title	Issue: FIM is not installed

Step 1: Verify the status of the agent

	Description	Command
Windows	Verify that the service is running	^{gsv -displayname trend}
Linux	Verify that the service is running	^{ps_axu \| grep ds_agent}

Step 2: Check the connectivity of the agent

	Description	Command
Windows	Verify the URL endpoint epsec.armor.com	^{& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus \| sls -pattern url}
	Confirm connection to the URL	`new-object` `System.Net.Sockets.TcpClient('146.88.106.210', 443)`

Linux	Verify the URL endpoint epsec.armor.com	^{/opt/ds_agent/dsa_query -c GetAgentStatus \| grep AgentStatus.dsmUrl}
	Confirm connection to the URL	`telnet 146.88.106.210` `443`

Step 3: Manually heartbeat the agent

Description

Command

Windows

Verify a 200 response

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m HTTP Status: 200 - OK Response: Manager contact has been scheduled to occur in the next few seconds.

Linux

Verify a 200 response

Code Block
/opt/ds_agent/dsa_control -m

...

Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

...

In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Protection.
(Optional) Use the search bar to customize the data displayed.
Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).

Column	Description
Column	Description
Asset Name	This column display the name of the virtual machine (or instance).
Location	This column displays the data center location for for the virtual machine (or instance).
Service	For Armor

...

Enterprise Cloud, the Protection scores focuses on the following services:
Malware Protection
FIM
Filebeat (for Linux)
Winlogbeat (for Windows)

For Armor Anywhere, the Protection scores focuses on the following services:

Malware Protection
FIM
IDS
Filebeat (for Linux)
Winlogbeat (for Windows)
Vulnerability Scanning
Status	This column displays the security status of the virtual machine (or instance), which can be:
	Warning
	Needs Attention
	OK
Message	This column displays a brief message to explain the reason for the Warning or Needs Attention status.

Versions Compared

Old Version 71

New Version Current

Key

Topics Discussed

Malware Protection

File Integrity Monitoring (FIM)

Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

Page Comparison

Versions Compared

Old Version 71

New Version Current

Key

Malware Protection

File Integrity Monitoring (FIM)

AnchorExport Protection screen dataExport Protection screen dataExport Protection Screen Data

Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data