A: You should deploy the scanner systematically across your network to reduce scanning across wide area networks and devices that restrict connectivity, such as firewalls or proxies.

A: Your IT staff installs the virtual machine (VM) or physical scanner.

A: Arctic Wolf maintains the scanner service, including regular software updates and scanner warranty, because we own the provided scanner hardware or VM software instance that enables network discovery of threats and vulnerabilities.

A: The physical installation takes minutes. To install the scanner hardware, install the scanner in a rack, connect an Ethernet cable, and then connect the power cord.

After you turn on the sensor power, the scanner connects to Arctic Wolf servers within minutes.

A: The physical scanner hardware is a 1RU rack-mountable server with these dimensions in inches: 1.7 high x 16.8 wide x 14.0 deep. A 200-W, low-noise AC power supply with power factor correction (PFC) powers the scanner.

A: No. A physical scanner has multiple hardware network ports, but the software is only configured to allow one primary network or one network interface card (NIC). Configuration with multiple, physical, non-routable networks is not supported because it would cause the scanner to become a bridge between networks that are otherwise separate, which is a violation of secure design principles.

A: The scanner can search for hosts on its network and begin scanning without configuration. You can also configure the scanner to scan or ignore other routable hosts or networks, if needed.

A: The scanner, both physical and virtual, communicates with Arctic Wolf cloud infrastructure. Arctic Wolf recommends that you create a defined outbound security rule from your scanner IP address to all necessary Managed Risk Scanner IP addresses to make sure there is proper functionality.

To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

A: Yes. You can deploy multiple scanners to scan separate parts of your network, for example a co-location or remote office without direct connectivity, or other areas that you do not want to scan from the main scanner location.

A: No. You cannot configure your own NTP server for your scanner. The scanner is configured to access a group of global, publicly available, NTP servers. This provides consistency if localized issues occur.

A: The impact of processing on the target systems is typically negligible. Some older systems, for example consumer-grade printers or network Internet-of-Things (IoT) devices, might have denial of service vulnerabilities that are revealed when scanned.

The network scanner primarily uses two tools to detect hosts and conduct vulnerability scans:

• Nmap — Very lightweight, sending only Internet Control Message Protocol (ICMP) and synchronize (SYN) packets for port scanning.
• OpenVAS — Also lightweight, typically sending and receiving <400 kB/sec of bandwidth on a typical network. Depending on the hosts that are scanned and what services they are running, occasional bursts of bandwidth to ~1 MB/sec might occur.

A: Yes. Arctic Wolf recommends adding an exception for your scanner IP address to your endpoint detection and response (EDR) solution.

A: The scanner looks for weak TLS ciphers. The scanner does not look at SSL registry information or test against failback methods.

A: The scanner does not perform asset profiling, including host name resolution, if:

• The host was not detected during the identification phase.
• The host is on the denylist for the scanner.

If you are seeing continued failures to resolve the name for a visible host, contact Arctic Wolf so that we can attempt manual tests on your scanner.

A: There is an option on the IVA Scanner to perform brute-force scans, where common or default usernames and passwords are attempted. Additionally, Managed Risk performs Account Takeover (ATO) scans to identify instances of passwords, credentials, or other personally identifiable information (PII) that were exposed to malicious actors.

See External Vulnerability Assessment for more information on Account Takeover (ATO) scans.

A: Host identification scanning, or Nmap scanning, is permitted outside of the vulnerability scanning window so that it does not limit the time remaining in the scheduled window for vulnerability scans. The IVA Scanner maintains an active list of all targets, and then decides the targets and order for scanning during the scheduled vulnerability scan, based on the latest results. All other scan types occur within the schedule.

A: When a scanner first comes online and registers with our system, it generates a unique public/private cryptographic key pair using RSA with a 4096-bit key. Part of the registration process for the new scanner is to publish the public component of this key pair to our servers. The private key is never transmitted off of the scanner.

When a credential is added through the Risk Dashboard for credentialed scanning, the data is divided into public and private fields. Public fields include the hosts that a given credential is for, the display name of the credential that is not the username, and a comment for easy viewing on the Risk Dashboard. Private fields include usernames, passwords, certificates, keys, and any information that could be used as a component of the actual credential.

Private fields and public information are stored differently:

• Private — Encrypted with a unique AES 256 key, or session key, and then encrypted with the public key of a target scanner. This encrypted data package is then paired with the public fields and stored in our database. A copy of this data is sent to the target scanner over a secure channel that again uses unique AES 256 session keys secured with the scanner public key. The private key is never transmitted off of the scanner. When the scanner receives the encrypted credential message, the message is stored to disk using the existing encryption before it is decrypted, and then it is decrypted only as required during use. It is never stored on disk in a decrypted form.
• Public — Stored in the database for use with the Risk Dashboard, and the private information is stored for re-publishing to the scanner if the scanner ever requests it. When the private information is stored in the database, there is no way for any device other than the scanner to read the private fields of a credential, and they cannot be recovered or moved to another scanner.

A: No. You must enable asset identification scanning to perform vulnerability scanning. You can make these adjustments on the Scanner Config page of the Risk Dashboard. See Risk Dashboard for more information.

A: Scanner performance metrics vary based on your environment. If you are using a vScanner, the allocated resources can also affect sensor performance. Generally, the Managed Risk Scanner can scan approximately 540 devices in a 24-hour period.

A: Scan times range from 2–200 minutes. If a scan is scheduled to a window that is too small for the scan to complete in, the scan continues until it finishes. It does not stop at the end of the scheduled window. If it did, longer scans would never complete.

For example, if you schedule a 60-minute scan window but a host would take 70 minutes to scan, the scan could not complete without exceeding the window. To avoid this, the schedules define when a scan might start, relying on the fact that the majority of scans take only 5–15 minutes to complete.

A: Various cloud providers have different policies around when and if vulnerability assessments are allowed according to their respective Acceptable Use Policies (AUPs):

• AWS — AWS has a strict AUPs around vulnerability scanning, but you can deploy a vScanner for AWS to scan AWS resources. See Install a vScanner in an AWS Environment for more information.
• Digital Ocean — Digital Ocean has lightweight AUPs, but Arctic Wolf recommends contacting Digital Ocean to prevent unintentional service interruptions.
• Others — Contact the appropriate cloud hosting provider to discuss their AUP and vulnerability assessment.

A: EVA scanning targets your external systems to find vulnerabilities in your externally facing services. IVA scanning targets your internal network devices, for example, laptops, servers, peripherals, IoT-enabled machines, and mobile devices. If you require EVA scanning, contact your CST. For more information about EVA scanning, see EVA overview.

A: If the scanner IP address is not added to your denylist on the Scanner Config page of the Risk Dashboard, your scanner IP address can appear in scan results in the Risk Dashboard.

A: Spikes in bandwidth usage might be related to:

• Webservers with a large 404 page — A webserver configured to use a custom 404 page, especially if it contains images, can often be large. The scanner checks for many URLs on webservers that do not exist and a large 404 page transmitted in response can generate large spikes in bandwidth.
• Misconfigured or poorly behaving hosts — Some services might immediately respond to an initial connection with a large volume of unsolicited data, generating a spike in bandwidth.
• Stateful east-west firewalls — Networks where Nmap scans travel through a firewall need to be configured to handle the Nmap traffic, or have a separate risks scanner deployed in the network segments.