What does the scan profile settings mean?

Here is information about the different settings for scan profiles. All recommended settings are preselected when setting up a new scan profile.

General information

General information

Name
Enter a name, e.g. Standard scan or Scan for business crucial servers.

Owner
The owner of the policy.

Details
Any comments that you want to add.

Scan settings

Discovery

Limit the scan to only identify what assets that are considered to be alive.

Testing the TCP ports with TCP SYN packet to see if the host is reachable. No active vulnerability testing will be done while this setting is active.

Ports coverage
Please read this article:
http://support.holmsecurity.com/hc/en-us/articles/212609249

Additional ports
Here you can add additional ports that are not included in Ports coverage.

Perform 3-way handshake
A three-way-handshake is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (acknowledgment) packets before actual data communication begins.

Read more (external link):
https://www.techopedia.com/definition/10339/three-way-handshake

Scan result interpretation

Include or exclude low-probability vulnerabilities in scan result. 
Please read this article for full explaination:
https://support.holmsecurity.com/hc/en-us/articles/360010562839-How-does-low-probability-tests-work-and-how-can-I-turn-them-off-

Potentially dangerous tests

Please read this article:
https://support.holmsecurity.com/hc/en-us/articles/360003863712-What-is-potentially-dangerous-test-

Include dead hosts in scans
To determine if a host is alive or dead, the scanning engine initiates either a TCP-ACK scan on some popular ports (including SMTP, SSH and HTTP) or pings it with an ICMP ping or both. If there is no response, the host is declared dead and no further processing is done unless this option is enabled. Enabling this option may substantially increase scanning time.

Scan intensity
This is a setting that changes the values for a number of different settings mentioned below. We recommend that you use medium intensity. Choosing Custom makes you set each parameter manually.

Hosts to scan in parallel
Number of scans performed in parallel.

Total processes
Maximal number of security checks that will be launched at the same time against each host.

Packet (burst) delay
The delay between NMAP sending out packages.

  • Automatic (recommended)
    Dynamically adjusted while the scan runs, depends on network quality and speed tested machine answers.
  • Minimum
    10 ms delay.
  • Medium
    100 ms delay.
  • Maximum
    400 ms delay.

Intensity
Sets the NMAP Timing Policy till polite, normal or aggressive.

Read more (external link):
https://nmap.org/book/man-performance.html

Password brute forcing
When having password brute forcing enabled the scan will try to make login using common usernames and passwords for a number of different services that can be found here:

http://support.holmsecurity.com/hc/en-us/articles/115000454169/

Vulnerability detection
Complete
runs a complete vulnerability assessment. You can choose to exclude specific categories and vulnerabilities. When choosing Custom you can select specific categories and vulnerabilities.

Authentication

Here you can enter a new authentication record or chose an existing for Windows and Linux/Unix. Notice that you can only have one authentication record per profile and operating system.

Read this for more information regarding authenticated network scans:
https://support.holmsecurity.com/hc/en-us/articles/360019811432-How-does-authenticated-networks-scans-work-

Additional Settings

Standard scan (20 ports)
Testing the TCP ports with TCP SYN packet to see if the host is reachable or. The following ports are scanned by default. You can add any additional ports.

  • 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080

ICMP
A test that sends a regular ICMP ping to check if the host is reachable.

SYN Settings:

Please read this regarding the SYN settings:
https://support.holmsecurity.com/hc/en-us/articles/360027656011-What-is-the-difference-between-TCP-SYN-and-TCP-SYN-ACK-in-a-scan-profile-

Compliance

Enable this to use the scan profile for PCI DSS compliance scans.

By enabling the PCI DSS compliance tests we will include the required areas for the framework in the scan and return the outcome of these in the scan results. All assets scanned with PCI compliance tests will automatically receive a PCI DSS tag that can not be removed later.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.