Risk DashboardUpdated Jan 25, 2024
The Risk Dashboard Scanner Config page allows you to make changes to your scanning configuration and scanning schedules. The page includes these sections:
Risk metrics — Provides risk score information.
Scanner Configuration — Displays configuration details about the selected scanner.
See Scanner Configuration section, View the configuration of a scanner, Verify scanner health, Enable or disable Only ping the target mode, Enable brute force scanning, Brute force scanning username checks, Enable CGI scanning, Enable or disable Only ping the target mode, Disable a scan, Disable brute force scanning, Disable CGI scanning, and Remove a scan schedule for more information.
Scanning Schedule — Displays scans that are scheduled for a selected scanner.
Credentialed Scanning — Lists all the scans that have credentialed scanning enabled.
Scanning Queue — Displays all running and scheduled scans for the selected scanner. This section is only visible if you are viewing information for a scanner that has scans queued.
By default, the scanner scans all devices on the same network subnet as the IP or mask that is provisioned. If needed, you can add more devices for scanning, if they are reachable through a gateway.
The scanner virtual machine (VM) is designed for rapid and continuous scanning to process all the network hosts as quickly as possible. It is normal for the scanner to consume all of the virtual CPU (vCPU) allocated to it. This could be undesirable in a highly overloaded ESXi environment, and allocating more resources may be difficult in the short term. In this situation, Arctic Wolf® recommends using the minimum system requirements as described in the Install an Arctic Wolf vScanner for your environment. If CPU consumption is an issue, try deploying a physical scanner as described in Install an Arctic Wolf Scanner. But, Arctic Wolf only recommends a physical scanner if your ESXi environment is unable to manage the vScanner resource requirements.
By design, company-identifying information is not sent out of your network. Each scanner is provisioned with a globally unique identifier (GUID). The customer-to-GUID mapping is stored within the Arctic Wolf secure network.
The scan frequency for a host depends on a number of factors, including:
- The uptime of the host.
- The number of hosts in the scan.
- Host uptime on the network.
- The scanner hardware.
Arctic Wolf recommends that you scan each host on the network once every 10-14 days at a minimum. You may require more scanners based on your network size and complexity.
Note: EVA scans run monthly. Arctic Wolf does not recommend scanning too frequently because this could conflict with firewall rules or generate too much noise.
The Risk Scanner operates in stages when determining which hosts to scan next. Scans begin five minutes after the previous scan completes. During this process, the Risk Scanner:
- Builds a list of active hosts based on the most recently completed Nmap scan.
- Uses the OpenVAS history to sort the list of active hosts according to the least recently scanned interval, with the least recently scanned host at the top of the list, and the most recently scanned host at the bottom.
- Determines if each host is eligible to be scanned based on whether the current time falls within the applicable scan schedule window.
- Determines the system capacity to manage simultaneous scans based on the current CPU load. It begins with one scan and increases by one additional scan every cycle until all CPU resources are used. If the CPU load exceeds the threshold, the number of simultaneous scans is reduced by one for the next scan cycle.
- Runs the new scan, starting with the least recently scanned host that is available to be scanned at that moment. Then, the scanner polls for the next least recently scanned host until the scanning capacity is reached.