Vulnerability Scanning Windows

Z0sickxZ0sickx Member Posts: 180 ■■■□□□□□□□
edited February 2019 in Windows Security
Guess i'll break the cherry in this section, looking for any ideas on why Nessus would take 20-40 mins to scan one box. For example testing one windows 10.3 box it sits at 0% then at the 20 min mark or so its starts to progress, these would be hardened DoD Windows images. The domain account is able to login and has domain admin privileges and it does login as soon as the scan is launched based on event viewer but i feel like something is slowing it down.

any ideas/or approaches? This only happened after systems transitioned to a new windows 10 build so i feel like a certain STIG/GPO policy setting is doing this

Comments

  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    The Nessus scan settings that you choose have a huge impact on performance and scan time.  
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • Z0sickxZ0sickx Member Posts: 180 ■■■□□□□□□□
    iBrokeIT said:
    The Nessus scan settings that you choose have a huge impact on performance and scan time.  
    right but as of now they're run with conservative settings, we've even tried cutting those max host/max plugins in half with no noticeable difference other then long scan times. In the mean time as i've troubleshooted I changed all scanners to use HIGH memory usage to squeeze a little more performance out of them and since they are dedicated scanners with plenty of RAM
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    Should we try praying to Cthulhu to see if that works?  If your expectation is for people to troubleshoot your issue, youre going to need to start posting relevant details such has your entire Nessus scan configuration otherwise best of luck with Cthulhu.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Does Nessus provide a very verbose output format that timestamps each of the scanning operations that it performs? Seems like that would be the best way to determine where it is spending most of its time.
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    JDMurray said:
    Does Nessus provide a very verbose output format that timestamps each of the scanning operations that it performs? Seems like that would be the best way to determine where it is spending most of its time.
    Interesting fact, if you place a check mark next to "Enable plugin debugging" it will triple your scan times because Nessus will have that write the verbose output to disk.  That is according to what a Tenable support engineer told me last fall.  There are numerous other settings that will have a performance impact which is why he needs to post the full scan config.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • Z0sickxZ0sickx Member Posts: 180 ■■■□□□□□□□
    Don't have the exact settings in front of me now so i'll have to wait until monday. everything is being run in SecurityCenter but can just use one of the standalone scanners and modify the logging on Nessus to output verbose details with full audit trail to see if i can find consistent plugins that take long..hoping its just a handful of plugins cause long scan time and not all of them...from the scans i looked at today they tended to take 1300-1900 seconds to complete per system
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    iBrokeIT said:
    Interesting fact, if you place a check mark next to "Enable plugin debugging" it will triple your scan times because Nessus will have that write the verbose output to disk.
    I'd write those logs to an SSD or virtual (RAM) drive to speed that up.
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    If Nessus is set to scan during idle times that alone will make a huge difference. Would start with watching the target for low CPU and Disk activity compared to the scans and see where the difference is activity is and is not. There are so many settings in the Administration panel. Without looking directly at that piece and seeing what is setup compared to the target box, time of scan, CPU setting etc. Its going to be hard to diagnose without more information.
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    Z0sickx said:
    iBrokeIT said:
    The Nessus scan settings that you choose have a huge impact on performance and scan time.  
    right but as of now they're run with conservative settings, we've even tried cutting those max host/max plugins in half with no noticeable difference other then long scan times. In the mean time as i've troubleshooted I changed all scanners to use HIGH memory usage to squeeze a little more performance out of them and since they are dedicated scanners with plenty of RAM
    Define "conservative", you are not giving enough details here for us to help you.  I have A LOT of experience with Nessus and its issues. What scan policy are you using?
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • Z0sickxZ0sickx Member Posts: 180 ■■■□□□□□□□
    Conservative as in max host = 30, max checks = 4. endpoints are running 8 gigs of RAM and 2 cores, so i don't believe its a endpoint resource issue. yes we've tried cutting those performance settings in half. I've gone into Nessus and modify the mem_usage from low to high and turned logging to minimal to see if that would boost things up to with the same results. Antivirus and Host intrusion prevention show no blocks within the logs related to nessus. I'm having a hard time blaming it on Nessus when it previously was able to scan within 7-10 per host to 20+mins with windows update to 10.3. Windows event viewer security logs didn't reveal much either
  • ErtazErtaz Member Posts: 934 ■■■■■□□□□□
    How many ports are open on the scan target? .... 
  • Z0sickxZ0sickx Member Posts: 180 ■■■□□□□□□□
    all Ertaz said:
    How many ports are open on the scan target? .... 
    all ports with exceptions...i don't have the full list of exceptions
  • ErtazErtaz Member Posts: 934 ■■■■■□□□□□
    Z0sickx said:
    all Ertaz said:
    How many ports are open on the scan target? .... 
    all ports with exceptions...i don't have the full list of exceptions
    Which ports are being detected? (is what I should have said.) 
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    Z0sickx said:
    Conservative as in max host = 30, max checks = 4. endpoints are running 8 gigs of RAM and 2 cores, so i don't believe its a endpoint resource issue. yes we've tried cutting those performance settings in half. I've gone into Nessus and modify the mem_usage from low to high and turned logging to minimal to see if that would boost things up to with the same results. Antivirus and Host intrusion prevention show no blocks within the logs related to nessus. I'm having a hard time blaming it on Nessus when it previously was able to scan within 7-10 per host to 20+mins with windows update to 10.3. Windows event viewer security logs didn't reveal much either
    Are the servers you are scanning located in the same datacenter/site as your Nessus scanner? If so, I would set the Max Checks = 20 and increase by 5 depending on your performance.  What is your timeout value set to?
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
Sign In or Register to comment.