Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
Home > Armor Anywhere - Product User Guide > Health Overview Dashboard (Armor Anywhere) > Protection Dashboard (Armor Anywhere)

Overview

In the Protection screen, the Protection score focuses on the stability of Armor services to determine if 

  • The agent is responding (hearbeating) to Armor
  • The agent has registered properly

For Armor Anywhere, the Protection scores focuses on the following services:  

  • Malware Protection
  • FIM
  • IDS
  • Filebeat (for Linux)
  • Winlogbeat (for Windows)
  • Vulnerability Scanning

...

Excerpt Include
Protection dashboard (snippet)
Protection dashboard (snippet)
nopaneltrue

Improve your Protection score 

...

  • Improve your Protection scores
  • Improve your overall Health health scores
  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket. 

Logging

...

titleStep 1: Verify the status of filebeat

...

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

...

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

...

titleStep 2: Send a support ticket

...

The winlogbeat logging agent is not installed.

Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...

titleStep 1: Check logging services

...

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

...

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

...

Expand
titleStep 2: Check connectivity
PortDestination
515/tcp

Malware Protection

...

Malware Protection has not provided a heartbeat in the past 4 hours.

...

titleStep 1: Verify the status of the agent

...

gsv -displayname *trend*

...

ps_axu | grep ds_agent

...

titleStep 2: Check the connectivity of the agent

...

& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

...

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)

...

/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

...

titleStep 3: Manually heartbeat the agent

...

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

...

Code Block
/opt/ds_agent/dsa_control -m

...

titleStep 4: Send a support ticket

...

Note

...

This section only applies to Windows users.

...

titleStep 1: Verify the status of winlogbeat

...

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

...

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.
  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

...

To learn how to send a support ticket, see Support Tickets.

...

Excerpt Include
Troubleshoot logging score (snippet)
Troubleshoot logging score (snippet)
nopaneltrue

...

Expand
titleStep 4: Check the components for the agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
Linux
Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM
Note

Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...

Reboot is required for Malware Protection.

...

Expand
titleStep 1: Reboot your server
Step 1: Reboot your server
Expand
titleStep 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

File Integrity Monitoring (FIM)

...

titleStep 1: Verify the status of the agent

...

gsv -displayname *trend*

...

ps_axu | grep ds_agent

...

titleStep 2: Check the connectivity of the agent

...

& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

...

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)

...

/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

...

titleStep 3: Manually heartbeat the agent

...

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

...

Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...

titleStep 1: Verify the status of the agent

...

gsv -displayname *trend*

...

ps_axu | grep ds_agent

...

titleStep 2: Check the connectivity of the agent

...

& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

...

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)

...

/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

...

titleStep 3: Manually heartbeat the agent

...

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

...

Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Check the components for the agent
Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
Code Block
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM
Note

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

Expand
titleStep 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...

titleStep 1: Verify the status of the agent

...

gsv -displayname *trend*

...

ps_axu | grep ds_agent

...

titleStep 2: Check the connectivity of the agent

...

& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

...

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)

...

/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

...

titleStep 3: Manually heartbeat the agent

...

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

...

Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

Intrusion Detection System (IDS)

...

Excerpt Include

...

Malware Protection is not installed or configured.

...

titleStep 1: Verify the status of the agent

...

gsv -displayname *trend*

...

ps_axu | grep ds_agent

...

titleStep 2: Check the connectivity of the agent

...

& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

...

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)

...

/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

...

titleStep 3: Manually heartbeat the agent

...

Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.

...

Code Block
/opt/ds_agent/dsa_control -m

Troubleshoot Malware Protection scores (snippet)
Troubleshoot Malware Protection scores (snippet)
nopaneltrue

...

Excerpt Include
Troubleshoot FIM score (snippet)
Troubleshoot FIM score (snippet)
nopaneltrue

...

Intrusion Detection System (IDS)

Issue: IDS has not provided a heartbeat in the past 4 hours

...

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent

...

hiddentrue
Expand
titleStep

...

Windows
Code Block
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls FWDPI
 
Component.FWDPI.dpiRules: 164
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap
Linux
Code Block
[root@ip-172-31-43-60 ~]# /opt/ds_agent/dsa_query -c GetComponentInfo | grep FWDPI
2016-11-18 01:15:47.000000: [Debug/6] | Starting thread 'CScriptThread' with stack size of 1048576 | /build/workspace/Sustain/9.6SP1HF/Build_DSA_96SP1HF_Amazon64/src/dsa/core/threadMgr/Runnable.cpp:587:start | FA6:7F7767397880:*unknown*
Component.FWDPI.dpiRules: 145
Component.FWDPI.driverState: 3
Component.FWDPI.firewallMode: on-tap
Component.FWDPI.mode: on-tap

...

2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Issue: IDS is installed but has not been configured

...

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

...


...

Issue: IDS is not installed or enabled

...

Expand
titleStep 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
Expand
titleStep 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
Expand
titleStep 3: Manually heartbeat the agent
Windows
Code Block
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
Code Block
/opt/ds_agent/dsa_control -m
Expand
titleStep 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Vulnerability Scanning

...

Issue: If IR Agent is not installed

Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
  • endpoint.ingress.rapid7.com *
    • (United States)

  • eu.endpoint.ingress.rapid7.com *
    • (Europe, Middle East, Africa)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleStep 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Issue: The Vulnerability Scanning agent did not run during the most recent scan

...

Expand
titleStep 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
Expand
titleStep 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
Note

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Expand
titleStep 3: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


...

Anchor
Export Protection screen data
Export Protection screen data
Export Protection screen data

Excerpt Include
Export Protection screen (snippet)
Export Protection screen (snippet)
nopaneltrue

...