Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »


Knowledge Base


Feedback

Have a suggestion for the Armor Knowledge Base?

Send a message to
kb@armor.com.









Overview

In the Protection screen, the Protection score focuses on the stability of Armor services to determine if 

  • The agent is responding (hearbeating) to Armor
  • The agent has registered properly

For Armor Anywhere, the Protection scores focuses on the following services:  

  • Malware Protection
  • FIM
  • IDS
  • Filebeat (for Linux)
  • Winlogbeat (for Windows)
  • Vulnerability Scanning

Error rendering macro 'excerpt-include'

No link could be created for 'Protection dashboard (snippet)'.

Improve your Protection score 

You can use the information below to troubleshoot the issues displayed in the Protection screen. 

Armor recommends that you troubleshoot these issues to:

  • Improve your Protection scores
  • Improve your overall health scores
  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket. 

To learn how to send a support ticket, see Support Tickets.


Error rendering macro 'excerpt-include'

No link could be created for 'Troubleshoot logging score (snippet)'.


Error rendering macro 'excerpt-include'

No link could be created for 'Troubleshoot Malware Protection scores (snippet)'.


Error rendering macro 'excerpt-include'

No link could be created for 'Troubleshoot FIM score (snippet)'.


Intrusion Detection System (IDS)

Issue: IDS has not provided a heartbeat in the past 4 hours

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m

Issue: IDS is installed but has not been configured

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent

DescriptionCommand
WindowsVerify a 200 response
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
/opt/ds_agent/dsa_control -m

Issue: IDS is not installed or enabled

 Step 1: Verify the status of the agent

DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps_axu | grep ds_agent
 Step 2: Check the connectivity of the agent

DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL
new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)



LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443
 Step 3: Manually heartbeat the agent
Windows
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
/opt/ds_agent/dsa_control -m

Vulnerability Scanning

Issue: If IR Agent is not installed

 Step 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
 Step 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)
  • endpoint.ingress.rapid7.com *
    • (United States)

  • eu.endpoint.ingress.rapid7.com *
    • (Europe, Middle East, Africa)

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.


Issue: The Vulnerability Scanning agent did not run during the most recent scan

 Step 1: Verify the status of the agent
Windows
  • IR Agent files are located within C:\Program Files\Rapid7
  • The IR Agent service name is "Rapid7 Insight Agent"
Linux
  • IR Agent files are located within /opt/rapid7/ir_agent
  • IR Agent logs are located within /opt/rapid7/ir_agent/agent.log*
  • Upgrade logs are one level above, within /opt/rapid7/upgrade*
 Step 2: Check connectivity of the agent
PortDestination
443/tcp (IR Agent)

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.