Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

You can use the information below to troubleshoot the issues displayed in the Protection screen. 

...

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket. 

...

Logging

Armor ServiceIssueRemediation
LoggingThe filebeat logging agent is not installed.
Expand
titleStep 1: Verify the status of filebeat

DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
Expand
titleStep 2: Send a support ticket

Excerpt Include
Create a support ticket (snippet)
Create a support ticket (snippet)
nopaneltrue

Logging

The winlogbeat logging agent is not installed.

Note

This section only applies to Windows users.

Expand
titleStep 1: Verify the status of winlogbeat
DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts
Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

LoggingArmor has not received a log in the past 4 hours.
Expand
titleStep 1: Check logging services

DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\
cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml
  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
Expand
titleStep 2: Check connectivity
PortDestination
515/tcp
  • 46.88.106.196  
    • (1a.log.armor.com)
  • 146.88.144.196  
    • (2a.log.armor.com)


...

Malware Protection

Armor ServiceIssueRemediation
Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent



Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Excerpt Include
Create a support ticket (snippet)
Create a support ticket (snippet)
nopaneltrue

Malware Protection

Malware Protection is not installed or configured.

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Check the components for the agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
Linux
Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM
Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

Malware Protection

Reboot is required for Malware Protection.

Expand
titleStep 1: Reboot your server
Step 1: Reboot your server
Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

File Integrity Monitoring (FIM)

Armor ServiceIssueRemediation
File Integirty Monitoring (FIM)FIM has not provided a heartbeat in the past 4 hours.
Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

File Integirty Monitoring (FIM)FIM is installed but has not been configured.
Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Check the components for the agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM
Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

File Integirty Monitoring (FIM)FIM is not installed.
Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m



Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Intrusion Detection System (IDS)

Armor ServiceIssueRemediation
IDSIDS has not provided a heartbeat in the past 4 hours.
Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Excerpt
hiddentrue
Expand
titleStep 1: Verify the status of the agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
 
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Linux
Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap



Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

IDSIDS is installed but has not been configured.
Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

IDSIDS is not installed or enabled.
Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent
Windows
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Vulnerability Scanning

Armor ServiceIssueRemediation
Vulnerability ScanningIf IR Agent is not installed
Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleStep 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

Vulnerability ScanningThe Vulnerability Scanning agent did not run during the most recent scan.
Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
  • endpoint.ingress.rapid7.com *
    • (United States)

  • eu.endpoint.ingress.rapid7.com *
    • (Europe, Middle East, Africa)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleStep 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...

Excerpt
hiddentrue













Excerpt
hiddentrue








Expand

Remediation Step 1:

Verify the status of the Trend agent




IssueRemediation Step 1Remediation Step 2Remediation Step 3Remediation Step 4

If latest Trend heartbeat is > 4 hours old

Make sure the Trend agent is on

For Windows:

ActionCommand in Powershell
Verify operation of the Trend Micro service in Windows
gsv -displayname *trend*
Verify operation of the Trend Micro processes in Windows
get-process "dsa", "notifier"
Confirm the URL endpoint defined by the DSA
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Note

There is also a coreServiceShell.exe process that represents the Trend Micro UI for a connected user session.

Note
If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.



For Linux:

ActionCommand
Verify operation of the Trend ds_agent service in Linux
ps_axu | grep ds_agent
Confirm the URL endpoint defined by the DSA
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Note
If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

Check connectivity

Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API
  • 4120/tcp, Trend DSM Heartbeat
  • 4122/tcp, Trend Relay

Manually heartbeat the Trend agent

For Windows:

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.



For Linux:

Code Block
/opt/ds_agent/dsa_control -m

Open a support ticket

Excerpt Include
Support Tickets
Support Tickets
nopaneltrue

If Anti-Malware is "On, matching module plug-in not found"


Make sure the Trend agent is on

For Windows:

ActionCommand in Powershell
Verify operation of the Trend Micro service in Windows
gsv -displayname *trend*
Verify operation of the Trend Micro processes in Windows
get-process "dsa", "notifier"
Confirm the URL endpoint defined by the DSA
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url
Note

There is also a coreServiceShell.exe process that represents the Trend Micro UI for a connected user session.

Note
If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.




For Linux:

ActionCommand
Verify operation of the Trend ds_agent service in Linux
ps_axu | grep ds_agent
Confirm the URL endpoint defined by the DSA
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl
Note
If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

Check connectivity

Trend Micro Anti-Malware services utilize the following endpoints:

Trend Micro ports utilize the following:

  • 4119/tcp, Trend Console, API
  • 4120/tcp, Trend DSM Heartbeat
  • 4122/tcp, Trend Relay

Manually heartbeat the Trend agent

For Windows:

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.



For Linux

Code Block
/opt/ds_agent/dsa_control -m

Open a support ticket

Excerpt Include
Support Tickets
Support Tickets
nopaneltrue

If Anti-Malware is not "On"

^^^^

If Anti-Malware status is "Computer reboot required"

Reboot your serverOpen a support ticketN/AN/A




FIM

IssueRemediation Step 1Remediation Step 2Remediation Step 3Remediation Step 4
If latest Trend heartbeat is > 4 hours old

Make sure the Trend agent is on

For Windows


ActionCommand
Verify operation of the Trend Micro service in Windows
gsv -displayname *trend*
Verify operation of the Trend Micro processes in Windows
get-process "dsa", "notifier"
Confirm the URL endpoint defined by the DSA
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url




For Linux

ActionCommand
Verify operation of the Trend ds_agent service in Linux
ps_axu | grep ds_agent
Confirm the URL endpoint defined by the DSA
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl


Note
If you do not see an entry with *.epsec.armor.com, then the Trend Micro agent did not install and register properly.

Check connectivity

Trend Micro FIM services utilize the following endpoints:

Trend Micro ports utilize the following: 

  • 4119/tcp, Trend Console, API
  • 4120/tcp, Trend DSM Heartbeat
  • 4122/tcp, Trend Relay


Manually heartbeat the Trend agent

For Windows

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.


For Linux

Code Block
/opt/ds_agent/dsa_control -m

Open a support ticket

Excerpt Include
Support Tickets
Support Tickets
nopaneltrue

If FIM is not "On, Realtime", or "On" with > 0 rules



If FIM is "On, matching module plug-in not found"



If FIM is not "On"



...