Skip to main content
Skip table of contents

Remediation Steps to Improve Protection Scores

Topics Discussed

You can use the information below to troubleshoot the issues displayed in the Protection screen.

Armor recommends that you troubleshoot these issues to:

  • Improve your Protection scores

  • Improve your overall Health scores

  • Increase the overall security of your environment

Review each step to troubleshoot your problem. If the first step does not resolve the issue, then continue to the second step until the issue has been resolved. As always, you can send a support ticket.

Logging

Armor Service

Issue

Remediation

Logging

The filebeat logging agent is not installed.


Step 1: Verify the status of filebeat



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Step 2: Send a support ticket

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Support

  2. Click Tickets

  3. Click Create A Ticket

    • A new tab will appear in your web browser.

In the top right corner of the Armor Ticketing System screen, click the Open AMP button to easily return to your AMP account. A new tab will appear in your web browser.

  1. On the Armor Ticketing System screen, review the categories for ticket request types. These request types are used internally to automatically route your ticket to the appropriate department for a more efficient response. 

Request Types

Scenario

Request Types

Support for Urgent Issues

  • Outage – report an outage

  • Performance Issue – report device performance or degradation issue

  • General Incident – report an unlisted incident

  • Potential Security Incident – report a potential security issue

Common Requests

  • Armor Services – Armor agent services, logging, monitoring, etc.

  • VPN – VPN inquiries

  • Armor Portal – AMP inquiries and requests

  • L2L Tunnels

  • WAF – WAF exceptions and requests

  • Firewall – inquiries on self-service firewall rules

  • SSL Certificate

Other Requests

  • Backup Service – backup services request

  • Disaster Recovery Service

  • DNS – add/configure DNS records

  • Encryption Service – encryption service request

  • Load Balancer – load balancer appliance request

  • OS Patching/Updates – request for OS patching and updates

  • Vulnerability Scanning – vulnerability scanning services

  • Recurring Issue – report a recurring or periodically repeating problem

  • Professional Services – Request a statement of work for out of scope services.

Account Requests

  • Access & Users – request for access and user management

  • Billing/Invoices – general billing or invoice request

  • Compliance – compliance or audit requests

  • Legal/TOS/SLA – legal inquiries

  • Account Cancellation – cancel an Armor account.

  1. In Account, select the AMP account that relates to the ticket. 

  2. Complete the missing fields.

    1. In Summary, enter a very brief description. You can only enter a maximum of 255 characters. 

    2. In Description, enter useful details that can help Armor quickly troubleshoot the problem. For example, consider the following questions: 

      • What is the specific issue? 

      • What are the steps to reproduce the issue? 

      • What is the level of business impact? 

      • Are there additional contacts that should be notified? 

      • Have there been any troubleshooting steps already performed? 

      • Are there any error messages or screenshots to share?

    3. If applicable, in Device, enter the name of the affected virtual machine. 

  3. If applicable, add any screenshots to help explain the issue.  

  4. Click Create.

    • After you create the ticket, you will receive updates on the ticket via an email notification.

You can easily review the details and status of your existing ticket by clicking the View Request link provided within the email notifications that are generated from the ticketing system.

  1. (Optional) After you create a ticket, you can add additional users or organizations to the ticket.

    1. On the ticket detail screen, in the right-side menu, click Share.

    2. Type the name of the user or the user’s email address. To share with a specific organization, type the account name, and then select the desired organization (Admin, Billing, Technical, or Security). The ticket can be shared with multiple organizations.

    3. Click Share.

  2. (Optional) To view the status of this newly created ticket, in the Tickets screen, click View Existing Tickets.

Logging

The winlogbeat logging agent is not installed.

This section only applies to Windows users.


Step 1: Verify the status of winlogbeat


DescriptionCommandExtra information
Configurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*
To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat
To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat
Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts



Step 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Logging

Armor has not received a log in the past 4 hours.


Step 1: Check logging services



DescriptionCommandExtra information
WindowsConfigurations are stored in the winlogbeat and filebeat directory within C:\.armor\opt\

cat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml
cat C:\.armor\opt\filebeat-5.2.0-windows-x86_64\filebeat.yml

  • Windows uses both winlogbeat and filebeat.
  • Commands should run in Powershell.

  • To review additional configurations, certificates, and service information, review a server's directory:

      • C:\.armor\opt\winlogbeat*
      • C:\.armor\opt\filebeat*

To verify the operation of the logging services, look for winlogbeat, filebeatgsv -displayname winlogbeat,filebeat

To verify the operation of the logging service processes, look for winlogbeatgps filebeat,winlogbeat

Confirm the configured log endpointcat C:\.armor\opt\winlogbeat-5.2.0-windows-x86_64\winlogbeat.yml | sls hosts




LinuxConfigurations are stored within /etc/filebeat/filebeat.ymlcat /etc/filebeat/*.yml

Verify the operation of the filebeat serviceps aux | grep filebeat

Confirm the configured log endpointgrep -i hosts /etc/filebeat/filebeat.yml

Confirm the external_idgrep -i external_id /etc/filebeat/filebeat.yml

Confirm the tenant IDgrep -i tenant_id /etc/filebeat/filebeat.yml



Step 2: Check connectivity

PortDestination
515/tcp




Malware Protection

Armor Service

Issue

Remediation

Malware Protection

Malware Protection has not provided a heartbeat in the past 4 hours.


Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m



Step 4: Send a support ticket

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Support

  2. Click Tickets

  3. Click Create A Ticket

    • A new tab will appear in your web browser.

In the top right corner of the Armor Ticketing System screen, click the Open AMP button to easily return to your AMP account. A new tab will appear in your web browser.

  1. On the Armor Ticketing System screen, review the categories for ticket request types. These request types are used internally to automatically route your ticket to the appropriate department for a more efficient response. 

Request Types

Scenario

Request Types

Support for Urgent Issues

  • Outage – report an outage

  • Performance Issue – report device performance or degradation issue

  • General Incident – report an unlisted incident

  • Potential Security Incident – report a potential security issue

Common Requests

  • Armor Services – Armor agent services, logging, monitoring, etc.

  • VPN – VPN inquiries

  • Armor Portal – AMP inquiries and requests

  • L2L Tunnels

  • WAF – WAF exceptions and requests

  • Firewall – inquiries on self-service firewall rules

  • SSL Certificate

Other Requests

  • Backup Service – backup services request

  • Disaster Recovery Service

  • DNS – add/configure DNS records

  • Encryption Service – encryption service request

  • Load Balancer – load balancer appliance request

  • OS Patching/Updates – request for OS patching and updates

  • Vulnerability Scanning – vulnerability scanning services

  • Recurring Issue – report a recurring or periodically repeating problem

  • Professional Services – Request a statement of work for out of scope services.

Account Requests

  • Access & Users – request for access and user management

  • Billing/Invoices – general billing or invoice request

  • Compliance – compliance or audit requests

  • Legal/TOS/SLA – legal inquiries

  • Account Cancellation – cancel an Armor account.

  1. In Account, select the AMP account that relates to the ticket. 

  2. Complete the missing fields.

    1. In Summary, enter a very brief description. You can only enter a maximum of 255 characters. 

    2. In Description, enter useful details that can help Armor quickly troubleshoot the problem. For example, consider the following questions: 

      • What is the specific issue? 

      • What are the steps to reproduce the issue? 

      • What is the level of business impact? 

      • Are there additional contacts that should be notified? 

      • Have there been any troubleshooting steps already performed? 

      • Are there any error messages or screenshots to share?

    3. If applicable, in Device, enter the name of the affected virtual machine. 

  3. If applicable, add any screenshots to help explain the issue.  

  4. Click Create.

    • After you create the ticket, you will receive updates on the ticket via an email notification.

You can easily review the details and status of your existing ticket by clicking the View Request link provided within the email notifications that are generated from the ticketing system.

  1. (Optional) After you create a ticket, you can add additional users or organizations to the ticket.

    1. On the ticket detail screen, in the right-side menu, click Share.

    2. Type the name of the user or the user’s email address. To share with a specific organization, type the account name, and then select the desired organization (Admin, Billing, Technical, or Security). The ticket can be shared with multiple organizations.

    3. Click Share.

  2. (Optional) To view the status of this newly created ticket, in the Tickets screen, click View Existing Tickets.

Malware Protection

Malware Protection is not installed or configured.


Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Check the components for the agent

Windows
CODE 
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.AM
Linux
CODE 
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.AM


Component.AM.mode describes if the Malware Protection module is installed.

Component.AM.rules is the number of rules derived from the Armor Deep Security Manager.



Step 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Malware Protection

Reboot is required for Malware Protection.


Step 1: Reboot your server

Step 1: Reboot your server


Step 2: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

Armor Service

Issue

Remediation

File Integrity Monitoring (FIM)

FIM has not provided a heartbeat in the past 4 hours.


Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent


Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

FIM is installed but has not been configured.


Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Check the components for the agent

Windows
CODE 
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetComponentInfo | sls -pattern Component.IM
Linux
CODE 
/opt/ds_agent/dsa_query -c GetComponentInfo | grep Component.IM

Component.IM.mode describes if the FIM module is installed.

Component.IM.rules is the number of rules derived from the Armor Deep Security Manager.



Step 5: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


File Integrity Monitoring (FIM)

FIM is not installed.


Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent


Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443



Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Intrusion Detection System

Armor Service

Issue

Remediation

IDS

IDS has not provided a heartbeat in the past 4 hours.

Step 1: Verify the status of the agent



DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent

Step 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


IDS

IDS is installed but has not been configured.

Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent

Step 2: Check the connectivity of the agent



DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


DescriptionCommand
WindowsVerify a 200 response
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
LinuxVerify a 200 response
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new

IDS

IDS is not installed or enabled.


Step 1: Verify the status of the agent


DescriptionCommand
WindowsVerify that the service is running
gsv -displayname *trend*
LinuxVerify that the service is running
ps -axu | grep ds_agent



Step 2: Check the connectivity of the agent


DescriptionCommand
WindowsVerify the URL endpoint epsec.armor.com
& "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c GetAgentStatus | sls -pattern url

Confirm connection to the URL

new-object System.Net.Sockets.TcpClient('146.88.106.210', 443)




LinuxVerify the URL endpoint epsec.armor.com
/opt/ds_agent/dsa_query -c GetAgentStatus | grep AgentStatus.dsmUrl

Confirm connection to the URLtelnet 146.88.106.210 443


Step 3: Manually heartbeat the agent


Windows
CODE 
PS C:\Users\Administrator> & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
HTTP Status: 200 - OK
Response:
Manager contact has been scheduled to occur in the next few seconds.
Linux
CODE 
/opt/ds_agent/dsa_control -m


Step 4: Send a support ticket

Click the following link to open a support ticket in AMP: https://amp.armor.com/support/tickets/new


Vulnerability Scanning

To remediate Vulnerability Scanning issues, please refer to this documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close