Vulnerability Scanning Windows
Z0sickx
Member Posts: 180 ■■■□□□□□□□
Guess i'll break the cherry in this section, looking for any ideas on why Nessus would take 20-40 mins to scan one box. For example testing one windows 10.3 box it sits at 0% then at the 20 min mark or so its starts to progress, these would be hardened DoD Windows images. The domain account is able to login and has domain admin privileges and it does login as soon as the scan is launched based on event viewer but i feel like something is slowing it down.
any ideas/or approaches? This only happened after systems transitioned to a new windows 10 build so i feel like a certain STIG/GPO policy setting is doing this
any ideas/or approaches? This only happened after systems transitioned to a new windows 10 build so i feel like a certain STIG/GPO policy setting is doing this
Comments
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□The Nessus scan settings that you choose have a huge impact on performance and scan time.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
Z0sickx Member Posts: 180 ■■■□□□□□□□iBrokeIT said:The Nessus scan settings that you choose have a huge impact on performance and scan time.
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□Should we try praying to Cthulhu to see if that works? If your expectation is for people to troubleshoot your issue, youre going to need to start posting relevant details such has your entire Nessus scan configuration otherwise best of luck with Cthulhu.
2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
JDMurray Admin Posts: 13,099 AdminDoes Nessus provide a very verbose output format that timestamps each of the scanning operations that it performs? Seems like that would be the best way to determine where it is spending most of its time.
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□JDMurray said:Does Nessus provide a very verbose output format that timestamps each of the scanning operations that it performs? Seems like that would be the best way to determine where it is spending most of its time.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
Z0sickx Member Posts: 180 ■■■□□□□□□□Don't have the exact settings in front of me now so i'll have to wait until monday. everything is being run in SecurityCenter but can just use one of the standalone scanners and modify the logging on Nessus to output verbose details with full audit trail to see if i can find consistent plugins that take long..hoping its just a handful of plugins cause long scan time and not all of them...from the scans i looked at today they tended to take 1300-1900 seconds to complete per system
-
beads Member Posts: 1,533 ■■■■■■■■■□If Nessus is set to scan during idle times that alone will make a huge difference. Would start with watching the target for low CPU and Disk activity compared to the scans and see where the difference is activity is and is not. There are so many settings in the Administration panel. Without looking directly at that piece and seeing what is setup compared to the target box, time of scan, CPU setting etc. Its going to be hard to diagnose without more information.
-
McxRisley Member Posts: 494 ■■■■■□□□□□Z0sickx said:iBrokeIT said:The Nessus scan settings that you choose have a huge impact on performance and scan time.I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
-
Z0sickx Member Posts: 180 ■■■□□□□□□□Conservative as in max host = 30, max checks = 4. endpoints are running 8 gigs of RAM and 2 cores, so i don't believe its a endpoint resource issue. yes we've tried cutting those performance settings in half. I've gone into Nessus and modify the mem_usage from low to high and turned logging to minimal to see if that would boost things up to with the same results. Antivirus and Host intrusion prevention show no blocks within the logs related to nessus. I'm having a hard time blaming it on Nessus when it previously was able to scan within 7-10 per host to 20+mins with windows update to 10.3. Windows event viewer security logs didn't reveal much either
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□Z0sickx said:Conservative as in max host = 30, max checks = 4. endpoints are running 8 gigs of RAM and 2 cores, so i don't believe its a endpoint resource issue. yes we've tried cutting those performance settings in half. I've gone into Nessus and modify the mem_usage from low to high and turned logging to minimal to see if that would boost things up to with the same results. Antivirus and Host intrusion prevention show no blocks within the logs related to nessus. I'm having a hard time blaming it on Nessus when it previously was able to scan within 7-10 per host to 20+mins with windows update to 10.3. Windows event viewer security logs didn't reveal much either2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response