Overview
In the Protection screen, the Protection score focuses on the stability of Armor services to determine if
- The agent is responding (hearbeating) to Armor
- The agent has registered properly
For Armor Anywhere, the Protection scores focuses on the following services:
- Malware Protection
- FIM
- IDS
- Filebeat (for Linux)
- Winlogbeat (for Windows)
- Vulnerability Scanning
Error rendering macro 'excerpt-include'
No link could be created for 'Protection dashboard (snippet)'.
Improve your Protection score
You can use the information below to troubleshoot the issues displayed in the Protection screen.
Armor recommends that you troubleshoot these issues to:
- Improve your Protection scores
- Improve your overall health scores
- Increase the overall security of your environment
Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.
Error rendering macro 'excerpt-include'
No link could be created for 'Troubleshoot logging score (snippet)'.
Error rendering macro 'excerpt-include'
No link could be created for 'Troubleshoot Malware Protection scores (snippet)'.
Error rendering macro 'excerpt-include'
No link could be created for 'Troubleshoot FIM score (snippet)'.
Intrusion Detection System (IDS)
Armor Service | Issue | Remediation |
---|
IDS | IDS has not provided a heartbeat in the past 4 hours. | Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
|
IDS | IDS is installed but has not been configured. | Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent
| Description | Command |
---|
Windows | Verify a 200 response |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux | Verify a 200 response |
/opt/ds_agent/dsa_control -m
|
---|
|
IDS | IDS is not installed or enabled. | Step 1: Verify the status of the agent
| Description | Command |
---|
Windows | Verify that the service is running | gsv -displayname *trend* |
---|
Linux | Verify that the service is running | ps_axu | grep ds_agent |
---|
Step 2: Check the connectivity of the agent
| Description | Command |
---|
Windows | Verify the URL endpoint epsec.armor.com | & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url |
---|
| Confirm connection to the URL | new-object System.Net.Sockets.TcpClient( '146.88.106.210' , 443)
|
---|
|
|
|
---|
Linux | Verify the URL endpoint epsec.armor.com | /opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl |
---|
| Confirm connection to the URL | telnet 146.88 . 106.210 443 |
---|
Step 3: Manually heartbeat the agent Windows |
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
|
---|
Linux |
/opt/ds_agent/dsa_control -m
|
---|
|
Vulnerability Scanning
Armor Service | Issue | Remediation |
---|
Vulnerability Scanning | If IR Agent is not installed | Step 1: Verify the status of the agent Windows | - IR Agent files are located within C:\Program Files\Rapid7
- The IR Agent service name is "Rapid7 Insight Agent"
|
---|
Linux | - IR Agent files are located within /opt/rapid7/ir_agent
- IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
- Upgrade logs are one level above, within /opt/rapid7/upgrade*
|
---|
Step 2: Check connectivity of the agent Port | Destination |
---|
443/tcp (IR Agent) | - endpoint.ingress.rapid7.com *
- eu.endpoint.ingress.rapid7.com *
- (Europe, Middle East, Africa)
|
|
Vulnerability Scanning | The Vulnerability Scanning agent did not run during the most recent scan. | Step 1: Verify the status of the agent Windows | - IR Agent files are located within C:\Program Files\Rapid7
- The IR Agent service name is "Rapid7 Insight Agent"
|
---|
Linux | - IR Agent files are located within /opt/rapid7/ir_agent
- IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
- Upgrade logs are one level above, within /opt/rapid7/upgrade*
|
---|
Step 2: Check connectivity of the agent Port | Destination |
---|
443/tcp (IR Agent) | - endpoint.ingress.rapid7.com *
- eu.endpoint.ingress.rapid7.com *
- (Europe, Middle East, Africa)
|
|