Troubleshoot Protection Scores

Owned by Former user (Deleted)
Last updated: 12 December 2023 by Luke Fritz (Unlicensed)
23 min read

Overview

You can use this document to troubleshoot issues with your protection score within the Armor Management Portal (AMP).

Specifically, you can use this document to troubleshoot an environment that is in a Needs Attention state.

Pre-Troubleshooting Steps

Before you troubleshoot a specific error message, Armor recommends that you confirm the following characteristics for your Trend agent:

  • Is installed

  • Is running properly

  • Can connect to the required IP addresses / ports

Verify that the Trend Agent is Installed



Instructions



Instructions

Windows

  1. As an administrator, open Powershell.

  2. In the Armor Agent command line, run the following command to verify that the subagents are installed:

    Get-Service -displayname "trend*"
    C:\.armor\opt\armor show subagents

  1. For Malware Protection, if Is Installed? is False, then run the following command to install the service:

    C:\.armor\opt\armor add malwareprotection

For Windows, a reboot will be required to complete the first installation.

Linux

  1. Obtain root access with (sudo -i).

  2. Run the following command:

  3. For Malware Protection, if Is Installed? is False, then run the following command to install the service:

If the installation is unsuccessful, then contact Armor Support.

Run the following command, and then copy the output into the support ticket to share with Armor Support. Be sure to provide any other output provided in the terminal.

Verify that the Trend agent is running properly



Instructions



Instructions

Windows

  1. As an administrator, open Powershell.

  2. Run the following command to verify that Trend is running:

You can also review the Services window for verification.

Linux

  1. Using "ps", run the following command to verify that the ds_agent is running:

  2. The output should list several processes.

  3. If you do not receive any results, verify the service using systemctl:

  4. If the agent is running, then you will see that Active indicates that the process is active (running) in the logs:

  5. If the ds_agent was stopped on purpose, then you will see the string "Stopping ds_agent: [ OK ]" in the logs:

  6. If the ds_agent was stopped due to the process crashing, or due to OOMM (Out Of Memory Manager) killing the process, then you will see the string "Stopping ds_agent: [FAILED]" in the logs:

  7. If the service is not running, then run the following command to start the service:

     

Verify that the Trend agent can connect to the required IP addresses / ports



Instructions



Instructions

Windows

  1. As an administrator, open PowerShell.

  2. Run the following command to verify that the Trend agent is able to connect to the required outbound IP addresses / ports:

  3. Review the output to ensure that there is a connection.

Linux

There are two options available for this test:

Option 1: From a Script File

  1. Navigate to a directory where your user can execute permissions, such as the user's home directory:

    • cd ~

  2. In this directory, create a new bash script file:

    • touch connectiontest.sh

  3. In the text editor of your choice, edit this file to include the entire connection test script:

    • nano connectiontest.sh

    • vim connectiontest.sh

    • emacs connectiontest.sh

  4. Save the file using the method dictated by your text editor of choice.

  5. Add the executable bit to the file:

    • chmod +x connectiontest.sh

  6. Execute the following script:

    • ./connectiontest.sh

Option 2: Directly from BASH

  1. Type an open parenthesis:

    • (

  2. Hit the Enter key.

  3. Paste the entire connection test script.

  4. Hit the Enter key.

  5. Type a close parenthesis:

    • )

  6. Hit the Enter key to run script.

If your output does not match the Expected Output from Registered Server output, please verify your firewall rules allow the host/port combinations required for Armor Anywhere to function, as listed in ANYWHERE Pre-Installation.

Troubleshooting

Installation or Configuration

You can use this section to troubleshoot the following errors:

  • Malware Protection is not installed or configured

  • FIM is not installed

  • FIM is installed but has not been configured

  • IDS is not installed or enabled



Instructions



Instructions

Windows

  1. As an administrator, open PowerShell.

  2. Run the following command:

    When this error is encountered, the output will be limited.

  3. If the above command failed, verify that Anti-Malware has been installed.

  4. If you do not see the C:\Program files\Trend Micro folder, then remove and re-install Malware protection, and then reboot after 10 minutes.

  5. As an administrator, open PowerShell, run the following command to confirm that the service is running successfully:

  6. If the service is in a bad state, then your output will match the following example, with only 3 services listed. This output indicates that the AMSP service is not installed, and that the agent is currently running in a limited capacity. In this case, you may have not received a policy or your agent has not been activated.

  7. If your agent did not activate, then run the following command:

  8. After 5 minutes, reboot the service.

  9. After the reboot, verify that your services are running, which should return the following output:

  10. If you do not see the AMSP service, then contact Armor Support. Within the ticket, be sure to provide all of the information / results that you have gathered so far.

Linux

  1. Run the following command to determine if a component of the anti-malware agent did not install correctly:

  2. If the components were installed correctly, then you will see an output similar to the following:

  3. Verify that the command line Component.AM.mode: is on, and not not-capable.

  4. If the previously run command returns the following output, you will need to reinstall the malwareprotection sub-agent.

  5. Run the following commands to re-install the malwareprotection subagent:

  6. After the re-installation process is complete, you must wait between 30 minutes to an hour to download and update the agent's components. You can then run the following command to confirm the desired results:

  7. If you still see an error, then contact Armor Support. Within the ticket, paste the output from the following command:

    Information Gathering Script for Escalations

Heartbeat / Communication

You can use this section to troubleshoot the following errors:

  • Malware Protection has not provided a heartbeat in the past 4 hours.

  • FIM has not provided a heartbeat in the past 4 hours.

  • IDS has not provided a heartbeat in the past 4 hours.



Instructions



Instructions

Windows

This issue often occurs if a server has been powered off or the network has changed.

  1. Run the following command to ensure that the AMSP service is running:

  2. If the service is running, you will see the following output:

  3. If the service is not running (stopped), then use the following command to start the Malware Protection agent and all other Malware Protection-related services:

  4. Run the following command to initiate a heartbeat to the Armor Malware Protection Infrastructure manually:

  5. Review the desired output. This will indicate that your virtual machine is able to connect to the Armor Malware Protection Infrastructure, and the agent will reach out to the Armor Malware Protection Infrastructure to update the status, as well as obtain policy updates and more:

    • In AMP, the not provided a heartbeat in the past 4 hours error message will be removed within an hour.

  6. If this error message continues to display in AMP, run the following command as an administrator in PowerShell:

    If you encounter a failure, you may have a firewall conflict that requires intervention.

    Port Information:

    • TCP Port 4119 is required for installation of the malware protection agent.

    • TCP Port 4120 is required for Heartbeats and communication to the Armor Malware Protection Infrastructure.

    • TCP Port 4122 is required for communication to Antimalware Infrastructure and updates.

  7. If connectivity is successful and Armor Support has not yet been contacted, re-register the malware protection agent:

  8. If the error has not cleared, please contact Armor Support. Within the ticket, provide the information / results that you have gathered so far.

Linux

This issue often occurs if a server has been powered off, or if connectivity to the Armor Malware Protection Infrastructure has been blocked.

  1. Assuming that the server is powered on, run the following command to ensure that the Malware Protection agent is running:

  2. Review the output to verify that there are 4 separate processes, including /opt/ds_agent/ds_agent and/opt/ds_agent/ds_am:

  3. If you do not find that these processes are running, then you may need to restart the ds_agent, or reinstall the malwareprotection agent.

  4. To restart the ds_agent service, run the following command:

  5. To reinstall the malwareprotection agent, run the following command:

  6. If the ds_agent is running with all 4 expected processes, run the following command to manually heartbeat the agent:

  7. Review the following output for a successful heartbeat:

  8. If you do not see HTTP Status: 200 - OK, then you must test the connectivity to ensure that your firewall rules are working properly.

    There are two ways to test for connectivity:

    Option 1: From a Script File

    1. Navigate to a directory where your user can execute permissions, such as the user's home directory:

      • cd ~

    2. In this directory, create a new bash script file:

      • touch connectiontest.sh

    3. In the text editor of your choice, edit this file to include the entire connection test script:

      • nano connectiontest.sh

      • vim connectiontest.sh

      • emacs connectiontest.sh

    4. Save the file using the method dictated by your text editor of choice.

    5. Add the executable bit to the file:

      • chmod +x connectiontest.sh

    6. Execute the following script:

      • ./connectiontest.sh

    Option 2: Directly from BASH

    1. Type an open parenthesis:

      • (

    2. Hit the Enter key.

    3. Paste the entire connection test script.

    4. Hit the Enter key.

    5. Type a close parenthesis:

      • )

    6. Hit the Enter key to run script.

     

  9. If you still see one of the heartbeat errors, then contact Armor Support and paste into the ticket the output from the following command:



Failure Update

You can use this section to troubleshoot the following errors:

  • Malware Protection has experienced an update failure, and is still in operation.



Instructions



Instructions

Windows

This error usually resolves itself after the agent has heartbeated a few times; however, if it hasn't, then a manual update will be required.

  1. As an administrator, open PowerShell.

  2. Run the following command:

    This will specifically request an update for security definitions from the Armor Malware Protection Infrastructure, and should resolve the error in about an hour.

  3. If the above command failed, run the following commands IN ORDER to make sure the modules are set to be updated automatically:

  4. If the issue still persists, then contact Armor Support. Within the ticket, be sure to provide the output from the previously run commands.

Linux

This error usually resolves itself after the agent has heartbeated a few times; however, if it hasn't, then a manual update will be required.

  1. Run the following command:

  2. This will specifically request an update for security definitions from the Armor Malware Protection Infrastructure, and should resolve the error in about an hour.

  3. If the error is not resolved, run the following command to make sure the modules are set to be updated automatically:

  4. If you still see an error, then contact Armor Support. Within the ticket, paste the output from the following command:

Reboot after Installation

You can use this section to troubleshoot the following error:

  • Reboot is required for Malware Protection.



Instructions



Instructions

Windows

When installed for the first time, Windows requires a reboot to finalize the changes being made to the registry. If you reboot when the installation prompts you, then you should not receive this error.

If you do receive this error, it means too much time has passed between installation & rebooting, and you'll need to contact Armor Support to manually refresh your Malware Protection Agent status via the Armor Malware Protection Infrastructure.

  1. Run the following command, and include the output within the ticket:

Topics Discussed