Risk Scan Engine Troubleshooting
Updated Aug 10, 2023Troubleshoot Risk Scan Engine
This information provides solutions for common Arctic Wolf Risk Scan Engine (formerly Joval) issues.
Unexpected scan results
Possible cause:
- A Risk Scan Engine defect or a content defect.
- The result may be accurate.
Resolution: If the unexpected result is UNKNOWN, ERROR, or a PASS or FAIL that you suspect is inaccurate:
- Create a diagnostic report for the scan, if you haven’t already.
- Review the diagnostics details for the rules with suspicious results. Use the color-coded test result tree to identify the specific tests that caused the unexpected result.
- Review the diagnostic details for those tests. Ask yourself these questions:
- Are there error messages that explain why the unexpected result occurred?
- Does the assessment logic applied to the collected data appear to be accurate?
- Does the data that Risk Scan Engine collected appear to match the actual machine state?
- Assign the cause of the unexpected result:
- Risk Scan Engine encountered a specific error evaluating this test.
- Risk Scan Engine did not accurately evaluate the assessment logic against the collected data.
- Risk Scan Engine did not accurately collect the required data from the machine.
- Risk Scan Engine appears to have completed the evaluation accurately and the result is, in fact, correct.
- Risk Scan Engine appears to have completed the evaluation accurately, but the result is inaccurate because there is an issue with the content.
If this is a Risk Scan Engine issue (4a, 4b, or 4c) or if the unexpected result is NOT SELECTED or NOT APPLICABLE:
- Rerun the scan using the Joval-Utilities in debug mode to create a Risk Scan Engine debug package. See Create a Risk Scan Engine debug package.
- Confirm that this scan produces the same result.
- Create a ticket for Risk Scan Engine support. Include your findings from these resolutions steps and the debug package zip file.
Host Unreachable Error on Windows targets
Possible cause: For remote connectivity to Windows devices, the Windows Remote Management Framework (WinRM) version 2.0 or higher is required.
Resolution: Make sure that the Windows Remote Management service is running on the target machine.
- Run this command:
runas /u:Administrator "winrm qc"
Host Unreachable Error on VMware VI SDK Targets
Possible cause: The host configuration is incorrect.
Resolution:
-
Verify that you can reach the host from a browser.
-
Verify that the username and password for the host are valid and match the data in the scan configuration file.
Host Unreachable Error on PAN-OS Targets
Possible cause: The PAN-OS device doesn’t have an IP address configured.
Resolution:
-
Verify whether the PAN-OS device has an IP address. Connect to the console port and run this command:
show interface management
Successful output:
------------------------------------------------------------------------------- Name: Management Interface Link status: Runtime link speed/duplex/state: 1000/full/up Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address <mac_address> Ip address: <ip_address> Netmask: <netmask> Default gateway: <gateway> Ipv6 address: unknown Ipv6 link local address: unknown Ipv6 default gateway: unknown -------------------------------------------------------------------------------
-
If the device does not have an IP address, configure the IP address settings:
- To begin configuration, run this command in the console port:
configure
- To set an IP address, run this command:
set deviceconfig system ip-address <ip_address>
- To set a default gateway, run this command:
set deviceconfig system default-gateway <gateway>
- To set a netmask, run this command:
set deviceconfig system netmask <netmask>
- To commit your changes, run this command:
commit
- Wait a few minutes, and then run this command to test the new IP address settings:
show interface management
- To begin configuration, run this command in the console port:
-
If the IP address settings are configured correctly, verify whether your machine can access the host IP address. In the command line, run this command:
curl -k https://<ip_address>:<port_number>/api/\?type=keygen
Expected output:
<response status = 'error' code = '400'><result><msg>Missing value for parameter "user".</msg></result></response>
Host Unreachable Error on other non-Windows targets
Possible cause: For remote connectivity to Unix, Cisco, and Juniper devices, Risk Scan Engine relies on the availability of SSH.
Resolution: Make sure that the target device permits incoming SSH connections.
Unable to sign in to a Windows device using Risk Scan Engine
Possible cause:
- You used an incorrect password.
- You are attempting to sign in as a user who is not a member of the Administrators or Remote Management Users groups. Generally speaking, only members of these groups are able to sign in using Windows Remote Management.
- The target machine is configured to disallow the Negotiate authentication method.
- Signing in using a local machine account is disabled. This issue sometimes occurs after upgrading from Windows Management Framework 1.0 to 2.0, for example, on a Windows 2008 Server machine.
Resolution:
- Run this command to view permitted authentication methods on the target:
winrm get winrm/config/Client/Auth
- To enable local account logins in this situation, create the
LocalAccountTokenFilterPolicy
registry value:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LocalAccountTokenFilterPolicy Type: DWORD Value: 1
Create a ticket for Risk Scan Engine support
You can create a ticket for the support team and attach any relevant support files. For information about creating debug packages, see Create a Risk Scan Engine debug package.
- In the Customer Support Portal, click Submit New Request.
- (Optional) Enter an email address to receive a copy of the ticket.
- In the Subject field, enter a summary of your concern.
- In the Description field, describe the details of your concern.
- In the Attachments section, add the debug package and any other supporting materials.
- Click Submit.
Create a Risk Scan Engine debug package
A Risk Scan Engine debug package contains low-level application logs designed to help the support team quickly and accurately diagnose an issue. If you are experiencing an issue, use Joval Utilities to create a debug package using one of these methods:
Create a debug package using Joval Utilities in Scan Mode
If you are using the Joval Utilities in scan mode with a configuration file, you can edit the file to create a debug package.
- Remove the the semicolons before
[Debug]
andexport.dir
near the end of the file to uncomment the debug section. Expected result:; ; Uncomment this section to create a debug package for Joval Support. ; [Debug] export.dir: /path/to/dir/for/debug/zips
- If your scan includes multiple targets, remove all but one or two that are exhibiting the issue.
- Rerun your scan.
- When the scan is complete, navigate to the specified
export.dir
file to access the debug package zip file.
Create a debug package using Joval Utilities in Xpert Mode
If you are using the Joval Utilities Jovaldi or Xpert mode, you can create a debug package in the command line.
- Add -debug to the end of the command and rerun the scan:
-jar Joval-Utilities.jar xpert <additional paramaters> -debug
xpert-debug.zip
orjovaldi-debug.zip
files are generated.
Create a debug package using the Joval SDK
- Create a debugging package using the
org.joval.util.DebugPackage
Java class:IReport report; SessionFactory factory; ... Configurator.get(factory.getClass()).addConfigurationProperty("jsaf.intf.system.ISession", ISession.PROP_DEBUG, "true"); ISession session; ... File dir = new File("."); File ws = session.getWorkspace(); DebugPackage pkg = new DebugPackage(dir, "debug-package.zip", report, ws); pkg.addLog(logFile); File debugFile = pkg.generate(); System.out.println("Generated debug package file: " + debugFile.getPath());