Armor Anywhere Agent 3.0

The launch of Armor Anywhere Agent 3.0 includes new security capabilities added to the Armor Anywhere agent as well as new self-service features to give Security Analysts and DevOps practitioners greater operational control and visibility over their security.

The launch also incorporates overall enhancements to Armor’s cloud security platform to make it more modular, flexible and interoperable than ever before. These enhancements will accelerate Armor’s ability to deploy new security and compliance capabilities in the future for Armor customers.


What are the overall new capabilities and features being rolled out with the upgrade?

Besides major enhancements to the cloud security platform to make it more flexible and interoperable, the rollout includes the following enhancements to Armor Anywhere and related offers:

  • Intrusion Prevention – Allows organizations to prevent or block potential threats. Intrusion prevention has two modes – Prevent and Detect.
  • Policy Recommendation Scans – Scans your instance to identify any vulnerabilities to be aware of and that could be addressed through updated rulesets for Intrusion Prevention and File Integrity Management capabilities.
  • Log and Data Management
    • Addition of more cloud native and third-party sources for ingestion, analysis and correlation, and retention.
    • Log and Data Visualization – Provides advanced log search, analysis and visualization capabilities to allow users to conduct further analysis as well as create dashboards and reporting of log information.
    • Security Incident Connectors - Gives Armor customers and partners flexibility in how they consume our threat detection and response outputs based on their unique operational needs.
  • CLI Flexibility – Allows customers to turn up/down Armor capabilities using the Command Line Interface.
  • Toolbox – Allows customers to turn/up down Armor capabilities through an easy-to-use GUI within the Armor Management Portal.
  • Metadata Tagging – Allows customers to apply tagging to instances being monitored by Armor for sharper classification, referencing and accountability.

Separately, Armor will be changing its Vulnerability Scanning service to Qualys from Rapid7.


What is pricing for the new capabilities above/how will this affect billing?

For the capabilities and features above, with the exception of Log and Data Management, there are no additional costs or pricing changes involved. Customers will get these new capabilities and features free as part of what you already pay to Armor.

For pricing changes related to Log and Data Management, please see the related section later in this document.


When will the upgrade be performed?

Armor will begin customer upgrades to Armor Anywhere Agent 3.0 starting June 8 and slated to complete at the month.


What do I need to do to prepare for the upgrade?

Firewall ports must be configured to allow for the upgrade. However, depending on your solution with Armor, you may or may not need to take further action.

  • Armor Anywhere with secure hosting (formerly Armor Complete) customers will have the global firewall modified on their behalf. No action is required by these customers."
  • Armor Anywhere customers will need to take action to make sure their firewall ports are open to allow for the upgrade.

More specific information can be found on

Will the upgrade require a reboot?

No. Customers will not need to reboot systems after the upgrade is installed.

Will AMP change?

Yes. The Armor Management Portal will be updated with a handful of changes.

  • Intrusion Prevention: The current “Intrusion Detection” page will convert to “Intrusion Prevention” in the navigation structure.
  • Toolbox: Armor is adding a new Toolbox tool and related functionality to the navigation.
  • Tagging: Armor is adding Tagging functionality to AMP.
  • Separately, “Dynamic Threat Blocking” is being renamed to “IP Threat Lookup”

Do we need to upgrade to Trend v12 before Armor Anywhere Agent 3.0?

No. An upgrade to Trend v12 is unnecessary.


How will the AMP user interface change for the change to Qualys versus Rapid7 functionality?

Users should expect no change to AMP related to the change from Rapid7 to Qualys.


What else do we need to do to update to Armor Anywhere Agent 3.0?

Nothing. Armor will update the Anywhere agent for you.


Will there be any downtime as a result of the upgrade?

Armor does not anticipate any downtime for customers related to the upgrade.


Will we have the choice to stay with older version of the Armor Anywhere’s agent?

No. All existing customers will be upgraded to the new version.

  • If not, what will my experience be like if some of my agents are new, in combination with additional old agent versions

    Armor will remove old agents prior to installing new, so there should not be an instance where customers are running old and new versions of Armor Anywhere.


  • I’ve heard that Armor’s vulnerability scanning is transitioning to Qualys from Rapid7 with the upgrade. With Armor’s upgrade and transition of its vulnerability scanning to Qualys from Rapid 7, if we are running two different Armor Anywhere versions across our virtual machines, will there be multiple vulnerability screens?  

    Armor is transitioning to Qualys for vulnerability scanning as part of the upgrade. However, you should not see multiple vulnerability screens as part of the upgrade. Armor will remove old agents prior to installing new agents, so there should not be an instance where customers are running old and new versions of Armor Anywhere. 

We have automated deployment of Armor Anywhere – what do we need to update?

If you have automated deployment of Armor Anywhere, please be aware that the command to install the agent has changed. You can find updated command information here for updating your automated workflows.



Intrusion Prevention

Host-based Intrusion Prevention works to scan incoming traffic, detecting and blocking potential threats and malicious activity. IPS protects against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. Armor’s Intrusion Prevention has two settings – “Prevent” and “Detect.” The Detect mode is consistent with Armor’s prior IDS functionality.

Policy Recommendation Scans

With policy recommendations scans, you can scan your hosts to identify vulnerabilities and the state of controls on the host. Recommendation scans scan the operating system, installed applications, Windows registry, open ports, directory listings, the file system, running processes and services and users. The scans provide recommendations as well as can be set to automatically apply new rules and changes such as the addition of any new rules to Intrusion Prevention or File Integrity Monitoring, as examples.

Log and Data Management

Log and Data Management allows organizations to send more log and event information from cloud native services and third-party virtual appliances and devices for monitoring by Armor to 1) perform analysis and correlation for enhanced security fidelity (accuracy) and context related to security outcomes 2) store log information for 13 months to meet compliance framework requirements.


More Log Sources

Additional log sources that can be correlated against for deeper context into threats in customer environment. Log sources include:

  • Cloud Native Sources: AWS CloudTrail, Amazon GuardDuty, AWS VPC Flow Logs, AWS WAF
  • Agent Sources: Apache, IIS, NGINX
  • 3rd Party Sources: Log Relay: Check Point, Cisco ASA, Imperva Incapsula

Log Search and Data Visualization

Search and analyze log and event data collected from across your environment. Use advanced customization tools to create dashboards and data visualizations best suited to your organization.

Security Incident Connector

A connector is simply a connector allowing an application to provide another application with real-time information. The Security Incident Connector gives Armor customers and partners flexibility in how they consume our threat detection and response outputs based on their unique operational needs. For instance, if a partner had their own SOC but wanted to take advantage of Armor’s analysis and correlation of event information and feed the results of that into their own SIEM, the connector would allow that.

What has changed?

Armor has now made more log sources available for collection, ingestion, analysis and correlation including AWS cloud native services. Armor has also transitioned its Log Search and Data Visualization capability for general availability.

Are there any pricing changes?

Pricing changes pertain to new customers of Log and Data Management for security analysis of non-agent log sources and long-term (13 month) log storage. For interest in Log and Data Management and questions on pricing, please reach out to your Armor support person or seller.


The new self-service capabilities give operators – Security Analysts and DevOps practitioners – greater operational control and visibility over security for instances and other assets being monitored by Armor.


Command Line Interface

Armor now provides DevOps and Security Analysts the ability to turn up/down security and compliance capabilities through the Command Line Interface (CLI) or using Toolbox in the Armor Management Portal. The functionality gives users full management of sub-services and allows users to turn on or off IPS/IDS, Malware Protection, File Integrity Monitoring, Vulnerability Scanning, Log and Data Management and Recommendation Scans as they see appropriate. This can be done for one host or across multiple hosts at the same time. Operators can also deploy Armor Anywhere holistically through the CLI.


Toolbox brings the same operational control and flexibility to all users of AMP in a simpler, easy-to-use menu in AMP called “Toolbox.” Users can manage agent sub-services and perform changes security and compliance features for individual virtual machines or fleets of virtual machines.


Tagging in the Armor Management Portal allow users to assign tags to Virtual Machines. An operator/user might tag several virtual machine assets as “PCI-DSS” to signal that the assets are part of their PCI environment. Or, the operator/user may tag sets of Virtual Machines based on major projects, initiatives or even based on department ownership. Operators/Users can then review virtual machine information for a specific tag by sorting or filtering on the tag designation of interest.

If we turn off a capability, will that affect the state of our compliance with XYZ framework?

Yes. Depending on the capability, it is likely you will be affecting your compliance with XYZ framework. We recommend referencing the Armor Anywhere Compliance Matrix and Armor Anywhere with Secure Hosting Compliance Matrix for the specific impact turning off a capability may have.