Managed Risk Scanner FAQUpdated Feb 22, 2024
- Managed Risk Scanner and vScanner FAQs
- Scanner installation and configuration FAQs
- Q: Where should I deploy a scanner in my network?
- Q: Who installs the scanner?
- Q: Who maintains the scanner?
- Q: How long does the hardware scanner installation take?
- Q: What are the physical space and power requirements of the hardware scanner?
- Q: Does the physical scanner support scanning multiple non-routable networks?
- Q: Do I need to configure the scanner?
- Q: Do I need to open a port in the firewall for the scanner?
- Q: Can I have multiple scanners for different parts of my network?
- Q: Can we configure our own NTP server for the scanner?
- Q: What virtual environments are supported for the virtual scanner?
- Q: What kind of impact does the scanner have on the network and systems?
- Q: Can endpoint detection and response solutions interfere with the scanner?
- Scanner operation FAQs
- Q: What tests does the scanner perform?
- Q: What does the scanner do during a scan?
- Q: What kind of devices does the scanner scan?
- Q: Does the scanner scan over IPv6 networks?
- Q: Does the scanner exploit found vulnerabilities?
- Q: How resource-intensive is the scan on the target machine?
- Q: Should I stagger scan times based on location?
- Q: When is continuous scanning applicable or preferred?
- Q: How often are IVA discovery scans run?
- Q: Are there best practices for scan schedules?
- Q: How long does a typical scan take for each device?
- Q: How should I configure the scanning schedule?
- Q: What is the difference between the default discovery scans, like Nmap, and a ping-only scan?
- Q: Does the scanner scan for or detect the SSL/TLS versions that a website supports?
- Q: Why is the scanner failing to resolve a host name?
- IVA scanning FAQs
- Q: Does the IVA Scanner scan for common passwords like “admin” or “password” to see if any devices have default or easily guessable passwords on them?
- Q: If scheduled scans are configured, why are host identification scans occurring outside of the schedule?
- Q: How are the credentials that are used in credential scanning stored?
- Q: Does vulnerability scanning work if asset identification scanning is disabled?
- Q: How long does it take to scan my environment with continuous scanning?
- Q: What happens if a scan takes longer than the scheduled scan window?
- Q: Can I scan AWS or other cloud-hosted devices?
- Q: Can we schedule IVA scans of devices or IP addresses on a daily, monthly, or quarterly basis?
- Q: What is the underlying technology used for IVA scanning?
- EVA scanning FAQs
- Q: How many ports are scanned during an EVA scan?
- Q: How does the EVA Scanner determine if a host is online before performing a vulnerability scan?
- Q: How often are EVA discovery scans run?
- Q: Can we schedule EVA scans of devices or IP addresses on a daily, monthly, or quarterly basis?
- Q: What are the EVA port states?
- Scanner troubleshooting FAQs
- Scanner installation and configuration FAQs
- See also
This information answers frequently asked questions (FAQs) about Arctic Wolf® Managed Risk Scanners and vScanners. It includes information for Internal Vulnerability Assessment (IVA) scanning. For more information about Risk Scanner configuration, see Configure a scanner.
Contact your Concierge Security® Team (CST) at email@example.com if you have questions that are not answered here.
This information answers frequently asked questions about scanner installation and configuration.
A: You can deploy the scanner anywhere within your network to scan any device that has layer 3 (L3) reachability. If the scanner can ping a device, it can scan that device. This includes off-site devices that are connected to your customer network through VPN.
A: An Arctic Wolf employee or your IT staff install the scanner, depending on whether you choose the virtual machine (VM) or physical scanner.
A: Arctic Wolf maintains the scanner service, including regular software updates and scanner warranty, because we own the provided scanner hardware or VM software instance that enables network discovery of threats and vulnerabilities.
A: The physical installation takes minutes. To install the scanner hardware, install the scanner in a rack, connect an Ethernet cable, and then connect the power cord.
After you turn on the sensor power, the scanner connects to Arctic Wolf servers within minutes.
A: The physical scanner hardware is a 1RU rack-mountable server with these dimensions in inches: 1.7 high x 16.8 wide x 14.0 deep. A 200-W, low-noise AC power supply with power factor correction (PFC) powers the scanner.
A: No. A physical scanner has multiple hardware network ports, but the software is only configured to allow one primary network or one network interface card (NIC). Configuration with multiple, physical, non-routable networks is not supported because it would cause the scanner to become a bridge between networks that are otherwise separate, which is a violation of secure design principles.
A: The scanner can search for hosts on its network and begin scanning without configuration. You can also configure the scanner to scan or ignore other routable hosts or networks, if needed.
A: The scanner, both physical and virtual, communicates with Arctic Wolf cloud infrastructure. Arctic Wolf recommends that you create a defined outbound security rule from your scanner IP address to all necessary Managed Risk Scanner IP addresses to make sure there is proper functionality. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click > Allowlist Requirements, and then view the IP addresses in the section for your product.
A: Yes. You can deploy multiple scanners to scan separate parts of your network, for example a co-location or remote office without direct connectivity, or other areas that you do not want to scan from the main scanner location.
A: No. You cannot configure your own NTP server for your scanner. The scanner is configured to access a group of global, publicly available, NTP servers. This provides consistency if localized issues occur.
A: See Managed Risk Scanner Installation and Configuration Guide for all requirements.
A: The impact of processing on the target systems is typically negligible. Some older systems, for example consumer-grade printers or network Internet-of-Things (IoT) devices, may have denial of service vulnerabilities that are revealed when scanned.
The network scanner primarily uses two tools to detect hosts and conduct vulnerability scans:
- Nmap — Very lightweight, sending only Internet Control Message Protocol (ICMP) and synchronize (SYN) packets for port scanning.
- OpenVAS — Also lightweight, typically sending and receiving <400 kB/sec of bandwidth on a typical network. Depending on the hosts that are scanned and what services they are running, occasional bursts of bandwidth to ~1 MB/sec may occur.
A: Yes. Arctic Wolf recommends adding an exception for your scanner IP address to your endpoint detection and response (EDR) solution.
This information answers frequently asked questions about scanner operation.
A: The scanner runs network vulnerability tests (NVTs) that provide:
Remote version detection — The scanner connects to host services and collects self-reported version information, to verify if hosts are using versions with known vulnerabilities.
- These NVTs may miss self-applied patches without version numbers.
- When services are locked down or otherwise configured not to self-report versions, the scanner may not detect these vulnerabilities.
Crafted packet and response check — The scanner sends a specific series of packets that test if a vulnerability exists based on the response from the host.
Credentialed detection — If configured, the scanner connects using customer-supplied credentials to obtain a list of installed software, and then the version check NVTs run against that list.
Tip: This detection can find vulnerabilities that are not remotely exploitable, for example an Adobe Acrobat vulnerability.
Weak or default password checking — Services that have a sign-in prompt, for example SSH or web pages, or services that collect credentials as part of protocol, for example SMB, are tested against default or weak passwords. For example,
Note: These scans can negatively impact services with lockout policies. You can disable these types of scans on those devices.
A: Using the provided schedules, the scanner obtains a list of targets to look for. Using the list of targets and the data from the denylist, the scanner attempts to determine if relevant machines are online by sending out Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), and Transmission Control Protocol (TCP) packets, and then monitoring for responses.
In almost all cases, the scanner runs a full scan that:
- Fingerprints web server software
- Analyzes HTTP headers for security misconfiguration
- Checks the security of HTTP cookies
- Checks the SSL certificate of the server
- Checks if known vulnerabilities are affecting server software
robots.txtfor interesting URLs. For example,
/adminor other restricted pages
- Checks whether a client access file exists, and then determines if it contains a wildcard entry. For example,
- Discovers server configuration problems. For example, directory listing
- Crawls websites
- Checks for SQL injection
- Checks for cross-site scripting
- Checks for local file inclusion and remote file inclusion
- Checks for operating system (OS) command injection
- Finds administrative pages
- Checks for sensitive files. For example, archives, backups, certificates, or key stores, based on hostname and some common words
- Attempts to find interesting files or functionality. For example, restriction or permission concerns
- Checks for information disclosure issues
- Checks mail servers for SMTP problems, including mail relay
A: The scanner can scan all device types on a network, including networking gear like switches and routers, printers, cameras, phones. But, scanning some devices can cause unintended behaviors, including significant issues to production environments if your scanner is configured to scan specific devices. As a result, Arctic Wolf recommends scanning only workstations and servers.
Avoid scanning these devices:
- Printers, especially large scale printers
- Medical devices
- Internet-of-Things (IOT) devices
- VoIP phones
- Uninterruptible Power Supplies (UPSs)
- Small network appliances
- Old devices that likely were not built to handle frequent scanning activity
- ESXi servers — Scanning these servers may lock you out and force you to restart their mgmt service.
A: No. The scanner does not support scanning over IPv6 networks.
A: The scanner never exploits a vulnerability discovered on a host. The scanner determines if a vulnerability exists, and then drops the connection to that host or service.
The scanner runs these types of network tests:
- Host identification tests — ICMP and TCP SYN packets are sent to test if a specific host is connected to the network and responding to basic network connectivity checks.
- Service detection tests — TCP SYN packets are sent to detect what services are responding on which ports.
- Service version tests — The tests connect to a service on the host and determine the version of the service that is running, if possible. Vulnerabilities for that specific version are checked against a database of known vulnerabilities and matches are reported.
- Exploit tests — The tests connect to a service, wait for a response, and then use that response to send a specifically-crafted packet to determine if a particular vulnerability is exploitable.
- Default credential tests — The tests connect to a service, and then attempt to sign in using known or default credentials for that service.
A: Managed Risk scans have a very low impact. Users should not notice any impact on the target machine during scanning.
A: You can configure scans based on your preference, including location. You may prefer to perform workstation scanning during the day and server scanning overnight. Scans always run in the order that they are listed on the Risk Dashboard. See Risk Dashboard User Guide for more information.
A: Continuous scanning is applicable to IVA scanning and host-based scanning. It is a preferred method because it provides insight that point-in-time vulnerability scans do not. Continuous scanning enables continuous visibility and the immediate discovery of new devices and vulnerabilities that enter your network. Specifically, things happen in between those point-in-time scans that are missed if you are not continuously scanning.
Note: Arctic Wolf Agent scans do not use continuous scanning, but you can run these scans daily.
A: For more information on when IVA discovery scans run, also known as Nmap scans, see Scan frequency.
A: Arctic Wolf suggests starting scans when a member of your team is available. That way, you can add devices to your denylist or turn off scanning if a host reacts poorly to being scanned. Scanning schedules should help prevent devices from going offline or prevent scanners from overwhelming devices with HTTP requests during business hours.
A: The scan can take up to an hour to complete, but is usually faster. Scan time depends on the number of open ports and network vulnerability tests (NVTs) that the scan runs against the host. By default, six hosts can be scanned at the same time.
Note: After four hours of scanning a single asset, scans time out and quit scanning that asset.
A: You should only configure private internal IP addresses for the scanner to scan. Do not add anything outside of the ranges listed here: https://en.wikipedia.org/wiki/Private_network.
Configure IP addresses for your scanner to scan if they are reserved for private networks. For example,
192.168.0.0/16. Do not configure public IP addresses for your scanner to scan. For example,
Arctic Wolf recommends:
- Scanning subnet ranges no larger than
/24. Scanning larger subnet ranges may not complete in a reasonable timeframe.
- Limiting the number of target IPs scanned to 2048 or less.
- Using a single scanner per collision domain.
With the assumption that each scan takes about 16 minutes to complete per device and with 6 hosts/devices scanned by scanner at same time, this table provides estimates for how long it takes to scan a number of hosts:
Note: Scanner performance can vary based on your environment. If you are using a vScanner, the allocated resources can also affect sensor performance. This table only provides estimates.
|Minutes to scan
|Hours to scan
A: The default Nmap scan finds the hosts that exist, and then determines which Arctic Wolf should scan for vulnerabilities.
These are the tests performed:
- Address Resolution Protocol (ARP) scan
- Internet Control Message Protocol (ICMP) echo
- ICMP timestamp
- Transmission Control Protocol (TCP) acknowledge (ACK) on port 80
- TCP synchronize (SYN) on port 443
- TCP SYN on more than 1,000 ports
For more information about ICMP echo requests and the Only ping the target toggle, see Only ping the target toggle.
A: The scanner looks for weak TLS ciphers. The scanner does not look at SSL registry information or test against failback methods.
A: The scanner does not perform asset profiling, including host name resolution, if:
- The host was not detected during the identification phase.
- The host is on the denylist for the scanner.
If you are seeing continued failures to resolve the name for a visible host, contact Arctic Wolf so that we can attempt manual tests on your scanner.
Note: Arctic Wolf recommends adding all DNS servers to the Host Collection DNS Servers in the Risk Dashboard.
This information answers frequently asked questions about IVA scanning.
A: There is an option on the IVA Scanner to perform brute-force scans, where common or default usernames and passwords are attempted. Arctic Wolf limits the number of passwords attempted to the most common ones, and tailors the list based on the type of device detected to limit causing account lockouts. Additionally, Managed Risk (MR) performs Account Takeover (ATO) scans to identify instances of passwords, credentials, or other personally identifiable information (PII) that were exposed to malicious actors.
A: Host identification scanning, or Nmap scanning, is permitted outside of the vulnerability scanning window so that it does not limit the time remaining in the scheduled window for vulnerability scans. The IVA Scanner maintains an active list of all targets, and then decides the targets and order for scanning during the scheduled vulnerability scan, based on the latest results. All other scan types occur within the schedule.
A: When a scanner first comes online and registers with our system, it generates a unique public/private cryptographic key pair using RSA with a 4096-bit key. Part of the registration process for the new scanner is to publish the public component of this key pair to our servers. The private key is never transmitted off of the scanner.
When a credential is added through the Risk Dashboard for credentialed scanning, the data is divided into public and private fields. Public fields include the hosts that a given credential is for, the display name of the credential that is not the username, and a comment for easy viewing on the Risk Dashboard. Private fields include usernames, passwords, certificates, keys, and any information that could be used as a component of the actual credential.
Private fields and public information are stored differently:
- Private — Encrypted with a unique AES 256 key, or session key, and then encrypted with the public key of a target scanner. This encrypted data package is then paired with the public fields and stored in our database. A copy of this data is sent to the target scanner over a secure channel that again uses unique AES 256 session keys secured with the scanner public key. The private key is never transmitted off of the scanner. When the scanner receives the encrypted credential message, the message is stored to disk using the existing encryption before it is decrypted, and then it is decrypted only as required during use. It is never stored on disk in a decrypted form.
- Public — Stored in the database for use with the Risk Dashboard, and the private information is stored for re-publishing to the scanner if the scanner ever requests it. When the private information is stored in the database, there is no way for any device other than the scanner to read the private fields of a credential, and they cannot be recovered or moved to another scanner.
A: No. You must enable asset identification scanning to perform vulnerability scanning. You can make these adjustments on the Scanner Config page of the Risk Dashboard. See Risk Dashboard User Guide for more information.
A: Scanner performance metrics vary based on your environment. If you are using a vScanner, the allocated resources can also affect sensor performance. Generally, the Managed Risk Scanner can scan approximately 540 devices in a 24-hour period.
A: Scan times range from 2–200 minutes. If a scan is scheduled to a window that is too small for the scan to complete in, the scan continues until it finishes. It does not stop at the end of the scheduled window. If it did, longer scans would never complete.
For example, if you schedule a 60-minute scan window but a host would take 70 minutes to scan, the scan could not complete without exceeding the window. To avoid this, the schedules define when a scan may start, relying on the fact that the majority of scans take only 5–15 minutes to complete.
A: Various cloud providers have different policies around when and if vulnerability assessments are allowed according to their respective Acceptable Use Policies (AUPs):
- AWS — AWS has a strict AUPs around vulnerability scanning, but you can deploy a vScanner for AWS to scan AWS resources. See Install a vScanner in AWS for more information.
- Digital Ocean — Digital Ocean has lightweight AUPs, but Arctic Wolf recommends contacting Digital Ocean to prevent unintentional service interruptions.
- Others — Contact the appropriate cloud hosting provider to discuss their AUP and vulnerability assessment.
A: You can schedule IVA scans to run monthly, weekly, daily, or continuously. This frequency is configurable on a network-by-network or host-by-host basis.
A: OpenVas is the underlying technology used for IVA scanning.
Note: Arctic Wolf uses a variety of effective cybersecurity technologies to ensure the security of our customers. As a result, underlying technologies may change over time as other technologies become available.
This information answers frequently asked questions about EVA scanning.
A: The Nmap or EVA scan uses the top 1,000 common ports. See Nmap Network Scanning Overview for more information.
A: The EVA Scanner uses the results of an initial Nmap scan to confirm that Arctic Wolf received port information, even if the ports are reportedly closed, and then proceeds with the EVA scan.
A: Nmap discovery scans run before every scan. They occur monthly by default, but can be requested at any time.
A: By default, we run EVA scans on a monthly basis.
A: The table below describes the port states. See What is Port Scanning? for more information.
|The application is actively accepting TCP queries on this port.
|The port is accessible but there is no application listening on it.
|Arctic Wolf cannot determine whether the port is open because packet filtering prevents probes from reaching the port. This could be due to a firewall, router rules, or host-based firewall software.
|Arctic Wolf is unable to determine if the port is open, closed, or filtered. This typically happens when a port is initially found to be open, but changes state during the scan. This can indicate interference from an intrusion prevention system (IPS) or a web application firewall (WAF). Make sure that Managed Risk Scanner IP address ranges are excluded from devices causing interference for accurate vulnerability scan results.
This information answers frequently asked questions about scanner troubleshooting.
A: If the scanner IP address is not added to your denylist on the Scanner Config page of the Risk Dashboard, your scanner IP address can appear in scan results in the Risk Dashboard.
A: Spikes in bandwidth usage may be related to:
- Webservers with a large 404 page — A webserver configured to use a custom 404 page, especially if it contains images, can often be large. The scanner checks for many URLs on webservers that do not exist and a large 404 page transmitted in response can generate large spikes in bandwidth.
- Misconfigured or poorly behaving hosts — Some services may immediately respond to an initial connection with a large volume of unsolicited data, generating a spike in bandwidth.
- Stateful east-west firewalls — Networks where Nmap scans travel through a firewall need to be configured to handle the Nmap traffic, or have a separate risks scanner deployed in the network segments.