Protection Degraded

Protection degradation indicates that some protection functions of the HSS agent are disabled or do not take effect due to exceptions. As a result, the protection on servers is weakened.

To check whether agent protection is degraded, choose Asset Management > Servers & Quota on the HSS console, click a server name to go to the server protection details page, and choose Security Operations > Policies to view the policy status. If the status of any policy is Abnormal, agent protection is degraded.

This section describes the agent protection levels and the causes and solutions of agent protection degradation.

Agent Protection Levels

For an agent in the Running state, there are five protection levels:

If the protection level of the agent is 1, the agent status is normal and all protection functions are normal.
If the protection level of the agent is 2, the agent has disabled level-1 protection policies and retains level-2 and -3 policies. For more information, see Table 1.
If the protection level of the agent is 3, the agent has disabled level-1 and -2 protection policies and retains level-3 policies. For more information, see Table 1.
The agent is in no-load state. In this case, all protection functions of the agent are disabled. You can only upgrade or uninstall the agent on the console. The protection status of the Server is displayed as Protection interrupted.
If the agent is silent, all the protection functions of the agent are disabled, and you cannot upgrade or uninstall the agent on the console. The protection status of the server is Protection interrupted.

**Table 1** Protection levels of policies
Policy	Protection Level
Cluster intrusion detection	1
Container escape detection	1
Container file monitoring	1
Container process whitelist	1
Suspicious image behaviors	1
Fileless attack detection	1
Port scan detection	1
Abnormal process behaviors	1
Root privilege escalation	1
Rootkit detection	1
AV detection	1
External connection detection	1
Container escape prevention	1
Container information collection	2
Web shell detection	2
Malicious file detection	2
Login security check	2
Real-time process	2
Container information module	2
HIPS detection	2
Asset discovery	3
Configuration check	3
File protection	3
Self-protection	3
Weak password detection	3

For details about the policies in Table 1, see Policy Management Overview.

Agent Protection Degradation Causes

The reasons for agent protection degradation are as follows:

The number of agent restarts exceeds the threshold. The agent automatically restarts too many times due to excessive server memory usage or other reasons. As a result, agent protection is degraded. The relationship between the number of agent restarts and protection degradation is as follows:
- If 5 ≤ Agent restarts ≤ 8, agent protection will be degraded from level 1 to level 2 on the current day and restored to normal on the next day.
- If 9 ≤ Agent restarts ≤ 11, agent protection will be degraded from level 2 to level 3 on the current day and restored to normal on the next day.
- If 12 ≤ Agent restarts ≤ 16, agent protection will be degraded from level 3 to the no-load state on the current day and restored to normal on the next day.
- If Agent restarts ≥ 17, the agent will enter the silent state on the current day and be restored to normal on the next day.
Server memory is insufficient. If available server memory is less than 50 MB, agent protection will be degraded. If available server memory is insufficient for about 3 minutes, the agent will gradually be degraded and finally enter the silent state. The agent will be restored to normal only if the available memory of the server is sufficient (greater than 250 MB).

Figure 1 Agent protection degraded

Agent Protection Degradation Solution

If agent protection is degraded due to insufficient server memory, you are advised to expand the server memory to ensure that the available server memory is greater than 250 MB. Then, the agent will be automatically restored to the normal state.

If agent protection is degraded due to frequent agent restarts, you can wait until the agent is automatically restored the next day. You can also perform the following operations to manually restore the agent to the normal state.

If you have enabled the self-protection policy, disable it before performing the following operations. For details, see Disabling HSS Self-Protection.

Modify the conf/framework.conf file in the agent installation directory and change the mode after the colon (:) of run_mode to normal.
Perform the following operations to delete the file that records the number of restart times.
- Linux: Run the rm -f /usr/local/hostguard/run/restart.conf command.
- Windows: Find C:\Program Files\HostGuard\run\restart.conf and delete it.
Perform the following operations to restart the agent.
- Linux: Run the /etc/init.d/hostguard restart command.
- Windows:
  - The agent version is 4.0.17 or earlier.
    1. Log in to the server as user administrator.
    2. Open the Windows Task Manager, choose Services.
    3. Right-click Hostwatch and choose Stop. After the status changes to Stopped, go to Step 4.
    4. Right-click Hostguard and choose Stop.
    5. Right-click Hostwatch and choose Start.
      After Hostwatch is started, Hostguard is automatically started.
  - The agent version is 4.0.18 or later.
    1. Log in to the server as user administrator.
    2. Open the command-line interface (CLI). Run the following commands in sequence to stop the service:
      sc control hostwatch 198
      
      sc control hostguard 198
      
      As shown in the Figure 2, the sp_state.conf file is not generated on the server with self-protection enabled.
      
      Figure 2 Stopping the service
    3. Open the Windows Task Manager, choose Services.
    4. Right-click Hostwatch and choose Start.
      After Hostwatch is started, Hostguard is automatically started.