Vulnerability Scanning Windows

Z0sickx

Guess i'll break the cherry in this section, looking for any ideas on why Nessus would take 20-40 mins to scan one box. For example testing one windows 10.3 box it sits at 0% then at the 20 min mark or so its starts to progress, these would be hardened DoD Windows images. The domain account is able to login and has domain admin privileges and it does login as soon as the scan is launched based on event viewer but i feel like something is slowing it down.

any ideas/or approaches? This only happened after systems transitioned to a new windows 10 build so i feel like a certain STIG/GPO policy setting is doing this

iBrokeIT

The Nessus scan settings that you choose have a huge impact on performance and scan time.  

Z0sickx

iBrokeIT said:

The Nessus scan settings that you choose have a huge impact on performance and scan time.  

right but as of now they're run with conservative settings, we've even tried cutting those max host/max plugins in half with no noticeable difference other then long scan times. In the mean time as i've troubleshooted I changed all scanners to use HIGH memory usage to squeeze a little more performance out of them and since they are dedicated scanners with plenty of RAM

iBrokeIT

Should we try praying to Cthulhu to see if that works?  If your expectation is for people to troubleshoot your issue, youre going to need to start posting relevant details such has your entire Nessus scan configuration otherwise best of luck with Cthulhu.

JDMurray

Does Nessus provide a very verbose output format that timestamps each of the scanning operations that it performs? Seems like that would be the best way to determine where it is spending most of its time.

iBrokeIT

JDMurray said:

Does Nessus provide a very verbose output format that timestamps each of the scanning operations that it performs? Seems like that would be the best way to determine where it is spending most of its time.

Interesting fact, if you place a check mark next to "Enable plugin debugging" it will triple your scan times because Nessus will have that write the verbose output to disk.  That is according to what a Tenable support engineer told me last fall.  There are numerous other settings that will have a performance impact which is why he needs to post the full scan config.

Z0sickx

Don't have the exact settings in front of me now so i'll have to wait until monday. everything is being run in SecurityCenter but can just use one of the standalone scanners and modify the logging on Nessus to output verbose details with full audit trail to see if i can find consistent plugins that take long..hoping its just a handful of plugins cause long scan time and not all of them...from the scans i looked at today they tended to take 1300-1900 seconds to complete per system

JDMurray

iBrokeIT said:
Interesting fact, if you place a check mark next to "Enable plugin debugging" it will triple your scan times because Nessus will have that write the verbose output to disk.

I'd write those logs to an SSD or virtual (RAM) drive to speed that up.

beads

If Nessus is set to scan during idle times that alone will make a huge difference. Would start with watching the target for low CPU and Disk activity compared to the scans and see where the difference is activity is and is not. There are so many settings in the Administration panel. Without looking directly at that piece and seeing what is setup compared to the target box, time of scan, CPU setting etc. Its going to be hard to diagnose without more information.

McxRisley

Z0sickx said:

iBrokeIT said:

The Nessus scan settings that you choose have a huge impact on performance and scan time.  

right but as of now they're run with conservative settings, we've even tried cutting those max host/max plugins in half with no noticeable difference other then long scan times. In the mean time as i've troubleshooted I changed all scanners to use HIGH memory usage to squeeze a little more performance out of them and since they are dedicated scanners with plenty of RAM

Define "conservative", you are not giving enough details here for us to help you.  I have A LOT of experience with Nessus and its issues. What scan policy are you using?

Z0sickx

Conservative as in max host = 30, max checks = 4. endpoints are running 8 gigs of RAM and 2 cores, so i don't believe its a endpoint resource issue. yes we've tried cutting those performance settings in half. I've gone into Nessus and modify the mem_usage from low to high and turned logging to minimal to see if that would boost things up to with the same results. Antivirus and Host intrusion prevention show no blocks within the logs related to nessus. I'm having a hard time blaming it on Nessus when it previously was able to scan within 7-10 per host to 20+mins with windows update to 10.3. Windows event viewer security logs didn't reveal much either

Ertaz

How many ports are open on the scan target? .... 

Z0sickx

all Ertaz said:

How many ports are open on the scan target? .... 

all ports with exceptions...i don't have the full list of exceptions

Ertaz

Z0sickx said:

all Ertaz said:

How many ports are open on the scan target? .... 

all ports with exceptions...i don't have the full list of exceptions

Which ports are being detected? (is what I should have said.) 

iBrokeIT

Z0sickx said:

Conservative as in max host = 30, max checks = 4. endpoints are running 8 gigs of RAM and 2 cores, so i don't believe its a endpoint resource issue. yes we've tried cutting those performance settings in half. I've gone into Nessus and modify the mem_usage from low to high and turned logging to minimal to see if that would boost things up to with the same results. Antivirus and Host intrusion prevention show no blocks within the logs related to nessus. I'm having a hard time blaming it on Nessus when it previously was able to scan within 7-10 per host to 20+mins with windows update to 10.3. Windows event viewer security logs didn't reveal much either

Are the servers you are scanning located in the same datacenter/site as your Nessus scanner? If so, I would set the Max Checks = 20 and increase by 5 depending on your performance.  What is your timeout value set to?