Scan Configuration
Fortra Vulnerability Manger Scanning
Fortra Vulnerability Management™ (Fortra VM) scanners provide comprehensive, updated information about your environment’s security posture.
This page details the following topics:
- Viewing, modifying, and creating scan policies
- Managing scan credentials
- Configuring scan results setting
Work with Scan Policies
This section describes how to view, modify, and create a scan policy, which is a set of instructions for a scanner. Fortra VM has default policies for several common scanning objectives (e.g., application discovery, host discovery, port scanning).
While a scanner only uses one scanner profile at a time, a profile can accommodate many scans—each of which with a different policy. A scan policy essentially tells the scanner how to process the scan by identifying scan speed, ports, scan credentials, password auditing, and vulnerabilities to include or exclude.
To view scan policies:
- From the navigation menu, select Scans > Scan Policies. You are on the Scan Policies page, which describes available scan policies.
- Select a scan policy name to view its settings.
To modify or create a scan policy:
- From the navigation menu, select Scans > Scan Policies. You are on the Scan Policies page, which describes available scan policies.
- Perform one of the following:
- Select a scan policy name to modify it.
- Select New policy to create a new scan.
NOTE: You cannot modify default scan policies, which are denoted with a shield symbol, but you can select to copy the default policy and create a new one based on it. - Enter or modify the scan policy settings on the following tabs and associated field (if you are deleting a scan policy, select Delete, which is available on any of the tabs):
- General Settings tab
- Name
- Description
- Scan speed: Choose your scan speed (faster speeds require more processing resources).
- Scan chunk size: Changes the number of assets in a scan thread (select Auto if you are unsure which size to use).
- ICMP only asset detection: Select ON or OFF.
- Disable TCP RST asset detection: Select ON or OFF.
- Disable ICMP port unreachable asset detection: Select ON or OFF.
- Ports tab
- Include ports or Override ports: If you choose Include ports, enter the ports the scan uses in addition to the default ports. If you choose Override ports, enter the ports to override the default ports (this option specifies the exact ports used during scans).
- Exclude ports: Enter the ports to exclude during scans (takes precedent if a port is also included).
- Credentials tab
- Patch Scanning: Select ON or OFF.NOTE: If the Patch Scanning toggle is switched to OFF, no Microsoft update vulnerabilities will be associated with authenticated scanning.
- Compliance Scanning: Select ON or OFF. This setting is available only to Fortra VM-Professional users and must be enabled by Client Support.
- Threat Scanning: Select ON or OFF. This setting is only available with the Active Threat Scanning service.
- Add Credential: Add a credential for scanning (requires Alias name, system Type to scan, Username, Password, and Domain name to create).
- Password Auditing tab
- Brute force level: Select level (default is set to low; the higher the setting, the more processing power is required). Use the following parameters to decide whether the level is low, medium or high.
- Low: This is mostly default credentials and some easily guessable credentials against specific services that don’t generally lock out accounts.
- Medium: Default and easily guessable credentials, more of a middle ground between low and high.
- High: Default and easily guessable credentials, and the scanner would use the full list of available credentials if time permitted.
- Ignored usernames: Type the usernames you want the scanner to ignore (press ENTER after each username or use commas to separate, then press ENTER).
- Custom passwords: Type the passwords you want to use in addition to what is in the NIRV built-in password library (press ENTER after each password or use commas to separate, then press ENTER).
- Custom SNMP community names: Type the Simple Network Management Protocol (SNMP) community names that allow communication between a host and agent. Press ENTER after each name or use commas to separate, then press ENTER.
- CVCs tab
- Excluded CVCs by name: Select the vulnerabilities you want to exclude during scans (takes precedence if a vulnerability is also included in the policy). Select next to a vulnerability name to remove it.
- Override CVCs by name: Select the vulnerabilities to override the scanner’s default CVCs. Select next to a vulnerability name to remove it.
- Include potential CVCs: Enable to check for vulnerabilities that, based on indirect detection methods, such as the software versions in your environment, have a high likelihood of being present but are not confirmed.
- Include superseded Microsoft patches CVCs: Enable to check for Microsoft patches that have replaced older related patches.
- CVC Families: Enable or disable the CVC families you want Fortra VM to use during scans.
- Enable aggressive mode scanning:This toggle allows the user to choose what scanning mode to use.
-
Select Save policy. Your scan policy is updated or created.
To modify or a delete credentials, go to the navigation menu and select System > Scan Credentials.
Overall, low is the default setting and most suitable setting for most scanning. It covers all the default credentials the scanner has and is the least likely to result in account lockouts (other than brute none, of course). Medium and high are more likely to lock out accounts for services that utilize an account lockout policy. In most cases, it is best to use the medium or high brute level in one-off scans of specific assets that either don’t have a lockout policy or where the client would be prepared to deal with a lockout, should one occur.
This setting is for the DDI NIRV™ password auditing engine.
This setting does not check user domain credentials, only default or easily guessable credentials for host configuration (e.g., admin/admin).
This setting does not check user domain credentials, only default or easily guessable credentials for host configuration (e.g., admin/admin).
Potential CVCs are identified with lower confidence than explicit checks.
If you have questions about CVC families, contact Technical Support.
Add Credentials
Authenticated scanning gives you safer and more accurate scanning of your environment.
To create a scan credential:
- From the navigation menu, select System > Scan Credentials. You are on the Credentials Manager page.
- Select Add Credential.
- In the Add Credential dialog, complete the following fields:
- Alias name: Example: sally.doe@forest.org
- Type: Select the type of system to scan (options include Windows, Linux, MSSQL, VMware ESX, MySQL, Oracle, PostgreSQL, and SSH Key).
- Username: Example: sallydoe
- Password Confirm: Confirm password
- Domain: Example: forest.org
- Description: (Optional) Enter a description for these credentials.
- Select Save. or Save and add another to create another set of scan credentials. Your scan credentials are created.
While you can add credentials when creating a scan policy, modifying and deleting credentials can only be done through the Credentials Manager. Please see our Scan Configuration article for more information.
To modify a scan credential:
- From the navigation menu, select System > Scan Credentials. You are on the Credentials Manager page.
- Select a credentials Alias name or the nearby edit icon to modify it.
- On the Edit Credential dialog, make your changes and select Save or Save and add another (if you want to create a new set of scan credentials).
To delete a scan credential:
- From the navigation menu, select System > Scan Credentials. You are on the Credentials Manager page.
- Select next to the credential you want to delete, then the resulting check-mark to confirm.
See Authenticated Scanning for more details.
Configure Scan Results Settings
You can configure the type of scan information you receive on the Scan Results page (located by selecting System > Settings > Scan Results on the navigation menu).
From here, you can configure the following settings:
- General:
- Risks and Threat Prioritization, including default risk weight TIP: Be aware that changing your Default risk weight can adversely affect your Security GPA. If you have questions about this feature, contact Technical Support.
- Data retention, including Scan purge daysNOTE: Scan data purged from Fortra VM cannot be restored.
- Matching and Trending, including Use static IP matching internally, Use SLA Security GPA/ SLA Security GPA days, and Active Threat Scanning Auto-Submit
Frequently Asked Questions
Scan Information
How do I create and run scans?
Creating new scans begins in the Scans section on either the Scan Activity or Scheduled Scans page by selecting the Create New Scan button. You can also begin by selecting New > Scan in the Fortra VM site header.
On the Create New Scan page, the user can configure basic items such as the scan name, the start time and date, and which Assets will be scanned.
See more: Create and Run Scans
How are scan timezones configured?
Time Zones can be configured by account, scanner, and scan. The account’s timezone is the default time to be used when a local timezone is not available.
The timezone set for the scanner will be used in configuring the scanner’s profile for things like blackout times. It will also impact the local time at which a scan runs depending on the timezone set for the scan. Scan definitions allow for a timezone to be set as well. This timezone is used in calculating the local time for a scan to run on the designated scans.
To understand how timezone settings are applied, consider a situation where a user in one region creates a scan that will run on a scanner in another region. If the user’s timezone is three hours ahead of the scanner, then scans scheduled to start at 5p.m. for the user will start at 2:00 p.m. in the scanner’s timezone. Essentially, the start time can be understood as “start when it is this time for me.” To clear up confusion in converting times, if you want a scan to start at a certain time in a remote location, set the timezone for the scan to that timezone. Using the example above, if you want the scan to start at 5 pm at the remote location, schedule that time and update the timezone of the scan to match that of the scanner.
What is a scanner profile?
A scanner profile is collection of rules that govern which assets can be scanned and when they are allowed to be scanned. The rules assigned to a scanner profile will define the IP addresses and ports that can be included as scan targets or specifically excluded.
See more: Scanners
What is an asset group?
An asset group defines a set of assets (resources) which are pre-configured for use when creating a scan. Asset groups classify resources into logical containers such as Domain Controllers or Company Website. The groups can include both internal and external assets as well as assets from different profiles.
See more: Manage Asset Groups
What is a scan policy?
A scan policy defines how targets are scanned. Several default policies are provided, and custom ones can be configured too. Policies control aspects of the scan, such as speed, port rules, authentication, and specific groups of vulnerabilities (CVCs) to scan for.
See more: Scan Configuration
How do I prevent assets on my network from being scanned?
The most direct way of excluding a particular asset from being scanned is to configure an exclusion in the scanner profiles for scanners that can access the asset.
From the navigation menu, select System > Scanner Management and select the Scanner Profiles tab.
Select the profile to modify; and on its details page, select the IPs & Ports tab and create a rule to Exclude the given asset. This removes the asset from scanning under any circumstance.
Exclusion rules can also be added to asset groups and even for a specific scan. Note that these exclusions are limited to the scans that use the specific asset group or ad hoc rule.
What is scanning by DNS hostname?
Scanning by DNS hostname lets you specify targets using domain name (e.g., www.mysite.com) instead of IP address (e.g., 192.168.2.1).
This is helpful in externally hosted environments such as Amazon Web Services (AWS) or Microsoft Azure, in which IP addresses may be unknown prior to scanning. In these situations, you can specify a hostname to scan and Fortra VM automatically resolves the named asset and scans it no matter where it is located (provided that type of scanning has been allowed).
These assets are added to your scan results and Active View (if applicable) as distinct and must be managed individually, even if the IP address is the same. This means, for instance, if you have two hostnames (e.g., www.one.com and www.two.com) that resolve to 10.10.10.10, both entries show up in your scan results and Active View.
How do I scan for a specific vulnerability?
Scanning for a specific vulnerability is done using a custom scan policy. In the set up of the policy, select the CVCs tab and enter the name of the specific vulnerability in the Override CVCs by name field. Finally, create a new scan and select your custom policy before running.
See more: Scan Configuration
What is the difference in scan speeds?
The following table provides the approximate packets per second (PPS) sent by the scanner at the various speed options in scan configuration:
| Speed | PPS | Maximum concurrent CVCs per host | Maximum concurrent CVCs |
| Very Slow | 200 | 1 | 20 |
|
Slow |
300 | 3 | 30 |
| Normal (default) | 450 | 6 | 75 |
| Quick | 600 | 13 | 115 |
| Fast | 800 | 15 | 165 |
| Very Fast | 1500 | 220 |
What is the scan chunk size option for?
When the scanner receives a range of IPs to scan, it will break them up into one or more chunks, depending on the configured chunk size and number of IPs to scan. The scanner will then run through all phases of the scan on each chunk of IPs, one chunk at a time. The default setting is Auto, which allows the scanner to determine the most efficient chunk size to use for the scan.
However, there may be cases where network bandwidth limitations may be a special consideration, and this setting can be used to throttle scanner-related network traffic down even further than the scan speed setting alone. Reducing the chunk size can result in an increase in the overall amount of time required to complete the scan.
What is ICMP-only asset detection?
By default, the scanner sends ICMP along with TCP / UDP probes, to several commonly accessible ports, to determine if there is a live asset at an IP address. By using TCP / UDP probes in addition to ICMP, the scanner is able to detect a live asset that may have ICMP disabled. However, in some cases, there may be a device on the network that responds to the TCP probes for IP addresses that do not have live assets which results in the detection of ghost assets. To prevent the detection of these ghost assets, ICMP-only asset detection can be toggled ON to limit the scanner to only using ICMP for asset detection.
What is the maximum number of live assets a RNA can scan?
A RNA supports scanning a maximum of 15,000 live assets per scan, for performance optimization. This number is an approximation because the size of the results data is the basis for the limitation rather than the number of live assets. The maximum number of live assets the RNA can successfully scan may differ slightly from network to network. The limit operates per RNA, and one or more RNAs may be associated with a scan. The scan results in Fortra VM could contain more than 15,000 assets when multiple RNAs are associated to a scan.
If the results from an RNA exceed this limit, the scan block will error out in Fortra VM with the message "Scan Error: Scan results were too large to transfer back to Fortra VM." If a scan block errors with this message, additional RNAs may be required to scan your entire network in a single Fortra VM scan. Alternatively, multiple scans of smaller ranges can be used to stay under the limit.