Page tree

File Integrity Monitoring (FIM)


Issue: FIM has not provided a heartbeat in the past 4 hours

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m

Issue: FIM is installed but has not been configured

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m
 Step 4: Check the components for the agent
Windows
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.

Issue: FIM is not installed

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m