What does the scan profile settings mean?

Here is information about the different settings for scan profiles. All recommended settings are preselected when setting up a new scan profile.

General information

General information

Name
Enter a name, e.g. Standard scan or Scan for business crucial servers.

Owner
The owner of the policy.

Details
Any comments that you want to add.

Scan settings

Discovery

Limit the scan to only identify what assets that are considered to be alive.

Testing the TCP ports with TCP SYN packet to see if the host is reachable. No active vulnerability testing will be done while this setting is active.

Ports coverage
Please read this article:
http://support.holmsecurity.com/hc/en-us/articles/212609249

Additional ports
Here you can add additional ports that are not included in Ports coverage.

Port exclusions
Here you can exclude specific ports.

TCP scanning technique:
TCP SYN Only scan is the most popular and default setting, because it performs quickly compared to 3-way handshake and it is also less likely to be blocked from firewalls. Another reason is that when it comes to states open, closed and filtered ports, TCP SYN scan gives a clear definition. 

Read more (external link):
https://www.techopedia.com/definition/10339/three-way-handshake

Optimize scanning time by ignoring RST rate limits

Many hosts has for a long time used rate limiting to reduce the number of ICMP error messages (such as port-unreachable errors) they send. Some systems now apply similar rate limits to the RST (reset) packets they generate. This can slow the scan down dramatically as it adjusts its timing to reflect those rate limits. You can tell the scan profile to ignore those rate limits (for port scans such as SYN scan which don't treat non-responsive ports as open) by using the checkbox. (Enabled by default)

Scan result interpretation

Include or exclude low-probability vulnerabilities in scan result. 
Please read this article for full explaination:
https://support.holmsecurity.com/hc/en-us/articles/360010562839-How-does-low-probability-tests-work-and-how-can-I-turn-them-off-

Potentially dangerous tests

Please read this article:
https://support.holmsecurity.com/hc/en-us/articles/360003863712-What-is-potentially-dangerous-test-

Include dead hosts in scans
To determine if a host is alive or dead, the scanning engine initiates either a TCP-ACK scan on some popular ports (including SMTP, SSH and HTTP) or pings it with an ICMP ping or both. If there is no response, the host is declared dead and no further processing is done unless this option is enabled. Enabling this option may substantially increase scanning time.

Scan intensity
This is a setting that changes the values for a number of different settings mentioned below. We recommend that you use medium intensity. Choosing Custom makes you set each parameter manually.

Hosts to scan in parallel
Number of scans performed in parallel.

Total processes
Maximal number of security checks that will be launched at the same time against each host.

Packet (burst) delay
The delay between NMAP sending out packages.

  • Automatic (recommended)
    Dynamically adjusted while the scan runs, depends on network quality and speed tested machine answers.
  • Minimum
    10 ms delay.
  • Medium
    100 ms delay.
  • Maximum
    400 ms delay.

Port scanning and host discovery
Sets the NMAP Timing Policy to polite, normal or aggressive.

Read more (external link):
https://nmap.org/book/man-performance.html

Password brute forcing
When having password brute forcing enabled the scan will try to make login using common usernames and passwords for a number of different services that can be found here:

http://support.holmsecurity.com/hc/en-us/articles/115000454169/

Vulnerability detection
Complete
runs a complete vulnerability assessment. You can choose to exclude specific categories and vulnerabilities. When choosing Custom you can select specific categories and vulnerabilities.

Authentication

Here you can enter a new authentication record or chose an existing for Windows and Linux/Unix. Notice that you can only have one authentication record per profile and operating system.

Linux/Unix authentication record

Authentication information 
The authentication information will be the name you type in.

Name 
Select a name.

Port
Type in if you want to use a certain port for your authentication, otherwise the standard port 22 will be used.

Choose if you want to authenticate with either username and password or by using a private key, type in your credentials and you are done.

Windows authentication record

Authentication information
The authentication information will be the name you type in.

Name
Select a name.

Type in your credentials you would like to use for your authenticated scan.

Check “Use NTLM” if you are using the NTLM protocol to authenticate your domains.

Read this for more information regarding authenticated network scans:
https://support.holmsecurity.com/hc/en-us/articles/360019811432-How-does-authenticated-networks-scans-work-

Additional Settings

Standard scan (20 ports)
Testing the TCP ports with TCP SYN packet to see if the host is reachable or. The following ports are scanned by default. You can add any additional ports.

  • 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080

ICMP
A test that sends a regular ICMP ping to check if the host is reachable.

SYN Settings:

Please read this regarding the SYN settings:
https://support.holmsecurity.com/hc/en-us/articles/360027656011-What-is-the-difference-between-TCP-SYN-and-TCP-SYN-ACK-in-a-scan-profile-

Compliance

Enable this to use the scan profile for PCI DSS compliance scans.

By enabling the PCI DSS compliance tests we will include the required areas for the framework in the scan and return the outcome of these in the scan results. All assets scanned with PCI compliance tests will automatically receive a PCI DSS tag that can not be removed later.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.