Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Content Layer
id443944098
Content Column
id443944110
Content Block
background-color$lightGrayColor
id443944096

Topics Discussed

Table of Contents
maxLevel3
minLevel3

Content Block
id443944100
Note

To fully use this screen, you must add the following permission to your account:

  • Read AVAM
  • Write Trend Manual Scan
  • Read Trend Manual Scan


Anchor
Enable Trend Sub-Agent
Enable Trend Sub-Agent
Enable Trend Sub-Agent


As a prerequisite to installing Malware Protection, you must install the Trend sub-agent. Use the commands below to manage the Trend sub-agent.

Info

You can also manage the Trend sub-agent in the Armor Toolbox.



Install Trend Sub-Agent:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend install
Linux: /opt/armor/armor trend install


Uninstall Trend Sub-Agent:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend uninstall
Linux: /opt/armor/armor trend uninstall 


Trend Sub-Agent Status:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend status
Linux: /opt/armor/armor trend status


The following Trend commands are not relevant to the Malware service. 

Expand

Turn On Recommended Scans:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan on
Linux: /opt/armor/armor trend ongoing-recommendation-scan on


Turn Off Recommended Scans:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan off
Linux: /opt/armor/armor trend ongoing-recommendation-scan off


Schedule a Recommended Scan (Runs on Next Trend Sub-Agent Heartbeat):

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend recommendation-scan
Linux: /opt/armor/armor trend recommendation-scan


Set Recommendation Scan Interval:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend set-recommendation-scan-interval <interval>
Linux: /opt/armor/armor set-recommendation-scan-interval <interval>
Info
 Options are  "24 Hours" "2 Days" "3 Days" "7 Days" "2 Weeks" "3 Weeks" "4 Weeks"


Get Recommendation Scan Interval:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend get-recommendation-scan-interval
Linux: /opt/armor/armor trend get-recommendation-scan-interval


Restart Trend:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend service-restart
Linux: /opt/armor/armor trend service-restart


Trend Sub-Agent Help

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend help
Linux: /opt/armor/armor trend help


Anchor
Enable Malware Protection Service
Enable Malware Protection Service
Enable Malware Protection Service


Use the following commands to manage the Malware Protection service. Once the Trend sub-agent and the Malware service are enabled, you will be able to manages services in the Armor Toolbox.


Turn On Malware Protection:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe av on
Linux: /opt/armor/armor av on


Turn Off Malware Protection:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe av off
Linux: /opt/armor/armor av off


Malware Protection Help

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe av help
Linux: /opt/armor/armor av help


Anchor
View malware events
View malware events
View Malware Events


The Total Malware Events table displays detected malware events from the past 30 days. You can click the widget to filter the data in the table below the widgets.

The Malware Protection subagent detects the following malware types: 

  • TROJAN (TROJ)
  • WORM
  • EICAR (VIRUS)
  • VIRTUS
  • RANSOM (RANSOMWARE)
  • SPYWARE
  • ADWARE
  • COINMINER (COIN_MINER)

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Malware Protection.
  3. Review the widgets for malware events.

    Widget

    Description

    Clean

    This widget indicates that the infected file was cleaned.

    Pass

    This widget indicates that no action was taken on the infected file.

    Quarantine

    This widget indicates that the file was renamed, and then moved to a temporary location.

    Delete

    This widget indicates that an infected file was deleted.

    DenyAccess

    This widget indicates that an infected file has restrictive access. As a result, no action was taken.

    Other

    This widget indicates all other possible actions performed on the infected file, such as renaming the file.

  4. (Optional) Click a widget to filter the table.

    Column

    Description

    NameThis column displays the name of the virtual machine or instance.
    Malware NameThis column displays the name of the malware detected in your virtual machine or instance.
    File NameThis column displays the location of the malware detected in your virtual machine or instance.
    Action Taken

    This column displays the action that took place in the file where the malware was detected:

    • Cleaned
    • Passed
    • Quarantined
    • Deleted
    • Denied Access
    • Other
    DateThis column displays the date when the malware was detected.


Anchor
View Malware Protection data
View Malware Protection data
View Service Health Data for Malware Protection 


  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Malware Protection.
  3. Navigate to the Malware Protection Service table.

  4. The status icons above the Malware Protection Service tableindicate the overall Malware Protection status for all of your instances. There are three status types:

    • OK (in green) indicates that your server's agent has communicated (hearbeated) with Armor.
    • Warning (in yellow) indicates that your server's agent appears to be reporting behind its expected timelines.
    • Needs Attention (in red) indicates that your server's agent has not properly communicated (heartbeated) with Armor.

Column

Description

Name

For Armor Complete, the name of the virtual machine you created in AMP.

For Armor Anywhere, the name of the instance that contains the installed Anywhere agent, which includes the Malware Protection subagent.

Provider

For Armor Complete, the entry will display Armor.

For Armor Anywhere, the name of the public cloud provider for the instance will appear.

Last Communication Date

The date and time that the Malware Protection subagent last communicated with Armor.

  • Never displays if your server's agent has not run a Malware scan.
Last Scan

The date and time of the last Malware scan.

  • Never indicates that your server's agent has not run a Malware scan.
  • Persistent indicates that your server's agent has real-time scanning enabled.
Scan

The Scan button will display if your subagent has heartbeated within the last four hours, AND a scan is not already in progress for the virtual machine or instance.

The Scan button will NOT display if an initial Malware scan has not been run, nor if your sub-agent has not heartbeated for that particular virtual machine or instance within the last four hours.

The Scan button will be disabled if there are five active scans running on your account.

The number of active scans will display in the top right corner of the table.

To learn how the overall Malware Protection status is determined, see Understand service health data for Malware Protection (below).


Anchor
Understand Anti-Malware data
Understand Anti-Malware data
Understand Service Health Data for Malware Protection


In the Malware Protection screen, the Malware Protection Service table displays the various malware protection statuses of your virtual machines or instances:

  • Green indicates a virtual machine in a Secured Malware Protection status.
  • Yellow indicates a virtual machine in a Warning Malware Protection status. 
  • Red indicates a virtual machine in a Critical Malware Protection status.

The Malware Protection status can change based on the following two conditions:

  • The date of your last scan (Last Scan)
  • The date that Armor last received your data (Last Communication Date)

The overall status of your virtual machine is based on the individual status of your virtual machine's subcomponents (subagents), including Malware Protection.


Condition 1. Date of last scan

If the last scan for Malware Protection took place between 7 to 13 days ago, then the Malware Protection status changes from Secured to Warning.

If the last scan for Malware Protection took place 14 days ago or more, then the Malware Protection status changes from Warning to Critical.

Date of last scan

Security status

7 to 13 days agoWarning
14 days or moreCritical


Condition 2. Date that Armor last received your data

If Armor last received data between 24 to 48 hours ago, then the Malware Protection status changes from Secured to Warning.

If Armor last received data over 48 hours ago, then the Malware Protection status changes from Warning to Critical.

Date of Armor receiving your data

Security status

24 to 48 hours agoWarning
Over 48 hoursCritical


Armor labels the Malware Protection status based on the worst status of the two conditions. For example, if the date of your last scan was 9 days ago, but Armor last received your data 72 hours ago, then overall, the Malware Protection status is Critical


Anchor
View Anti-Malware details
View Anti-Malware details
View Detailed Malware Protection Data


The Malware Protection details screen displays the malware that has been detected in your virtual machine or instance. This screen only shows data for the last 90 days. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security

  2. Click Malware Protection.

  3. Locate and select the desired virtual machine or instance. 

Column

Description

Malware Name

The name of the malware detected in your virtual machine or instance.
File NameThe location of the malware detected in your virtual machine or instance.
Action Taken

The action taken against the malware:

  • Quarantine
  • Clean
  • Rename
  • Pass
  • Deny Access
DateThe date when the malware was detected.


Anchor
Run a Malware scan
Run a Malware scan
Run a Malware Scan


Excerpt Include
ESLP:Run a Malware scan (snippet)
ESLP:Run a Malware scan (snippet)
nopaneltrue


Anchor
View Malware scan activity
View Malware scan activity
View Malware Scan Activity


In the Malware Protection screen, on the Scan Activity tab, you can view details on current and past scans. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security

  2. Click Malware Protection.

  3. Click Scan Activity.

The number of active scans will display in the top right corner of the table.

COLUMN

DESCRIPTION

NameThis column displays the name of the virtual machine or instance.
UserThis column displays the name of the user who initiated the scan.
Time Started

This column displays the date and time that the scan was initiated.

Last UpdatedThis column displays the date and time of the last status check for the scan.
Status

This column displays the status of the scan:

  • Pending indicates that the scan is currently in the queue.
  • Started indicates that the scan has been initiated, but is still in-progress.
  • Completed indicates that the scan has run successfully.
  • Paused indicates that the scan has been paused.
  • Resumed indicates that the scan has resumed running (after being paused).
  • Failed indicates that the scan did not run successfully.

Anchor
Troubleshoot Anti-Malware
Troubleshoot Anti-Malware

Info

Troubleshooting 

Armor troubleshoots servers that contain Malware Protection subcomponents in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

  1. In the Armor Management Portal (AMP), click Support, and then click Tickets
  2. Click Create a Ticket.
  3. Select or search for the desired category for your ticket request type.
  4. Complete the missing fields.
    1. In Description, enter useful details that can help Armor quickly troubleshoot the problem.
  5. Click Create
  6. To view the status of your ticket, in the left-side navigation, click Support, and then click Tickets


Anchor
Export Anti-Malware data
Export Anti-Malware data
Export Malware Protection Data


To export the data: 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security

  2. Click Malware Protection.

  3. (Optional) Use the filter function to customize the data displayed. 

  4. Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set). 

    Function

    Data Displayed

    Notes

    CSV

    Vm Name

    Vm Provider

    Os

    Last Agent Communication Date

    Last Scan

    A blank entry indicates that the action has never taken place. For example, if there is a blank entry under Last Scan, then a scan has never taken place for that corresponding virtual machine. 

    Anchor
    Troubleshooting
    Troubleshooting

Info

Troubleshooting

If you do not have any malware events listed, consider that: 

  • Armor did not detect any malware events on this host in the last 90 days.
    • If a malware event is detected, Armor will contact you based on your notification preferences. To learn how to configure your notification preferences, see Update notification preferences
  • You do not have permissions to view malware events.
    • You must have the View AVAM permission enabled to view malware vents. Contact your account administrator to enable this permission. To learn how to update your permissions, see Roles and Permissions


Anchor
Log Search for Malware
Log Search for Malware
Log Search for Malware


Users can search for Anti-virus/Malware events in Log Search. For instructions on how to access and use Log Search, please see our documentation here

An example of AV/Malware logs can be seen below: 

Image Modified


For a full list of Log Search fields and descriptions, please visit our glossary here




Was this helpful?
Rate Macro

Scrolltotop