Armor Knowledge Base
Space shortcuts
Page tree

Versions Compared

Old Version 50

changes.mady.by.user Geoff Ka'alani

Saved on

compared with

New Version 59

changes.mady.by.user Geoff Ka'alani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Content Layer
id443839770
Content Column
id443839777
Content Block
background-color$lightGrayColor
id443839764

Topics Discussed

Table of Contents
maxLevel3
minLevel3

Content Block
id443839776

In the Protection screen, the Protection score focuses on the stability of Armor services to determine if 

  • The agent is responding (hearbeating) to Armor
  • The agent has registered properly


For Armor Anywhere, the Protection scores focuses on the following services:  

  • Malware Protection
  • FIM
  • IDS
  • Filebeat (for Windows and Linux)
  • Winlogbeat (for Windows)
  • Vulnerability Scanning


Review Widgets and Graph 

Widget and Graph Type

Description

Protection Score

This widget displays a calculated score that includes the number of subagents in an unhealthy state.

Score range

Health status

10 - 8

Good

7 - 4Fair
3 - 1Poor
Note
  • For Armor Complete, only virtual machines that are in a Powered On state are included. 
  • For Armor Anywhere, only virtual machines that have communicated (heartbeated) with Armor in the last 4 hours are included. 
Info

Scores in the security dashboards are calculated and updated every night at 2:00 AM UTC.

Assets ProtectedThis widget displays the number of virtual machines that contain the Armor agent.
Healthy ServicesThis widget displays the percentage of agents and subagents that are working properly.
Protection Score TrendThis graph displays the history of your protection scores.  


Understand Service Health 

The Service Health section displays the virtual machines that contain the installed Armor agent. 
To view this section, you must have the Read Virtual Machines(s)permission assigned to your account.

Column

Description

Asset Name

This column displays the name of the virtual machine.

You can click the name of the virtual machine to access the Virtual Machine details screen.

Status

This column displays the security status of the virtual machine.

  • Unprotected indicates the agent is not installed in the instance.
    • Instances without an agent will be labeled as Unprotected. All instances from the public cloud account will be displayed.
  • Needs Attention indicates that the agent is installed, but has not properly communicated (heartbeated) with Armor.
  • OK indicates that the agent is installed and has communicated (hearbeated) with Armor.
Location

For Armor Complete, this column will display name of the Armor virtual site.

For Armor Anywhere, this column will display the name of the public cloud provider.

Ticket

This column displays the support ticket that troubleshoots the Protection issue.
A Protection issue will automatically generate a support ticket.


Improve your Protection Score 

You can use the information below to troubleshoot the issues displayed in the Protection screen. 

Armor recommends that you troubleshoot these issues to:

  • Improve your Protection scores
  • Improve your overall health scores
  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket. 

Note

To learn how to send a support ticket, see Armor Support

Tickets

.


Logging

Expand
titleIssue: The filebeat logging agent is not installed.

Description

Command

Extra information

WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname armor-winlogbeat,armor-filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml
Expand
titleIssue: The winlogbeat logging agent is not installed.

Step 1: Verify the status of filebeat

Note

This section only applies to Windows users.

Description

Command

Extra Information

Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeatfilebeatgsv -displayname armor-winlogbeat,armor-filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpoint

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts

Expand
titleIssue: Armor has not received a log in the past 4 hours.

Step 1: Check Logging Services


Description

Command

Extra information

WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname armor-winlogbeat,armor-filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml


Step 2: Check Connectivity

Port

Destination

515/tcp




Malware Protection

Expand
titleIssue: Malware Protection has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent


Description

Command

WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


Step 2: Check the connectivity of the agent


Description

Command

WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m
Expand
titleIssue: Malware Protection is not installed or configured

Step 1: Verify the status of the agent


Description

Command

LinuxVerify that the service is running
ps_axu | grep ds_agent
WindowsVerify that the service is running
gsv -displayname *trend*


Step 2: Check the connectivity of the agent


Description

Command

WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m


Step 4: Check the components for the agent

Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
Linux
Code Block
themeMidnight
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM
Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleIssue: Reboot is required for Malware Protection

Step 1: Reboot your server


File Integrity Monitoring (FIM)

Expand
titleIssue: FIM has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent


Description

Command

WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


Step 2: Check the connectivity of the agent


Description

Command

WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m



Expand
titleIssue: FIM is installed but has not been configured

Step 1: Verify the status of the agent

WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


 Step 2: Check the connectivity of the agent


Description

Command

WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m


Step 4: Check the components for the agent

Windows
Code Block
themeMidnight
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
Code Block
themeMidnight
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM
Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleIssue: FIM is not installed

Step 1: Verify the status of the agent


Description

Command

WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


Step 2: Check the connectivity of the agent


Description

Command

WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Description

Command

WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m


Intrusion Detection System (IDS)

Expand
titleIssue: IDS has not provided a heartbeat in the past 4 hours

Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m
Expand
titleIssue: IDS is installed but has not been configured

Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URL

telnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m
Expand
titleIssue: IDS is not installed or enabled

Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent


Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent

Windows
Code Block
themeMidnight
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
Code Block
themeMidnight
/opt/ds_agent/dsa_control -m


Vulnerability Scanning

Expand
titleIssue: If IR Agent is not installed

Step 1: Verify the status of the agent

Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*


Step 2: Check connectivity of the agent

PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleIssue: The Vulnerability Scanning agent did not run during the most recent scan

Step 1: Verify the status of the agent

Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*


Step 2: Check connectivity of the agent

PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleIssue: The Vulnerability Scanning agent is not installed

Step 1: Verify the status of the agent

Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*


Step 2: Check connectivity of the agent

PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.


Step 3: Re-install the Armor agent.

Expand
titleIssue: The Vulnerability Scanning agent did not successfully sync

Step 1: Verify the status of the agent

Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*


Step 2: Check connectivity of the agent

PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.


Step 3: Re-install the Armor agent.


Anchor
Export Protection screen data
Export Protection screen data
Export Protection Screen Data

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security

  2. Click Protection.

  3. (Optional) Use the search bar to customize the data displayed. 

  4. Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set). 

    Column

    Description

    Asset NameThis column display the name of the virtual machine (or instance).
    LocationThis column displays the data center location for for the virtual machine (or instance).
    Service

    For Armor Complete, the Protection scores focuses on the following services:  

    • Malware Protection
    • FIM
    • Filebeat (for Linux)
    • Winlogbeat (for Windows)

    For Armor Anywhere, the Protection scores focuses on the following services:  

    • Malware Protection
    • FIM
    • IDS
    • Filebeat (for Linux)
    • Winlogbeat (for Windows)
    • Vulnerability Scanning
    StatusThis column displays the security status of the virtual machine (or instance), which can be:
    • Warning
    • Needs Attention
    • OK
    MessageThis column displays a brief message to explain the reason for the Warning or Needs Attention status.




Was this helpful?
Rate Macro

Scrolltotop



Armor Defense Inc. Copyright © 2020. All rights reserved.