Here is information about the different settings for scan profiles. All recommended settings are preselected when setting up a new scan profile.
General settings
Name
Enter a name, e.g., "Standard scan" or "Scan for business crucial servers".
Scan type
Choose between Full, Basic, or Discovery scan,
Read more about the difference between these settings in this article: https://support.holmsecurity.com/knowledge/what-is-the-difference-between-discovery-basic-full-scan-type
Owner
The user to which the profile belongs to.
Details
Any details you want to add to the profile, e.g., the purpose of the profile.
Host Discovery
Standard scan (20 ports)
The scan profile tests the TCP ports using TCP SYN packets to determine if the host is accessible. By default, the scan covers the following ports. However, you have the option to add any additional ports you require.
- 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080
Additional ports
Here, you can add other ports not included in Host Discovery.
TCP SYN settings:
Please read this regarding the SYN settings:
https://support.holmsecurity.com/hc/en-us/articles/360027656011-What-is-the-difference-between-TCP-SYN-and-TCP-SYN-ACK-in-a-scan-profile-
Perform ICMP Ping
A test that sends a regular ICMP ping to check if the host is reachable.
Include dead hosts in scans.
Disregard the discovery settings. All ports under Ports coverage will be tested even though the host might not be active. Enabling this option may substantially increase scanning time.
Port Coverage
To learn more about the range of TCP and UDP ports covered in the different options, we recommend reading this article:
https://support.holmsecurity.com/knowledge/what-ports-are-included-in-the-different-scan-levels
Additional ports
Here, you can add ports not included in Light or Standard scan.
Port exclusions
Here, you can exclude specific ports you do not want to include.
TCP scanning technique:
The TCP SYN Only setting is the preferred and default because it performs faster than the 3-way handshake method. Additionally, it is less likely to be blocked by firewalls. TCP SYN scan is preferred because it defines open, closed, and filtered ports.
Optimize scanning time by ignoring RST rate limits.
Some hosts have implemented rate limiting to reduce the number of ICMP error messages they send. Additionally, specific systems have applied similar rate limits to their generated RST (reset) packets. These rate limits can significantly slow down a scan as it adjusts its timing to accommodate them. To overcome this issue, you can enable a checkbox to ignore these rate limits in the scan profile. This is especially useful for port scans like SYN scans that do not consider non-responsive ports as open.
Vulnerabilities
Vulnerability selection
Default vulnerability category
The default list of vulnerability tests includes various general vulnerability checks. It provides a comprehensive vulnerability assessment of the target system. However, you can exclude specific vulnerability categories and individual vulnerabilities if desired. When opting for a basic scan, you can select specific categories and vulnerabilities to focus on during the scan. This allows you to customize the scan to your particular needs and priorities.
Tests with known exploit vulnerabilities
Read more about the CISA's known exploits in this article:
https://support.holmsecurity.com/knowledge/what-is-cisas-known-exploited-vulnerabilities-catalog
Tests with vulnerabilities related to known ransomware
Read more about the known exploits and ransomware in this article:
https://support.holmsecurity.com/knowledge/how-to-scan-for-known-exploits-and-ransomware
Tests for printers and office devices
If the scan detects a printer device, it will not be scanned if the option is disabled. This is because many printers have adverse reactions to network scans. Some printers may crash, while others may start printing many pages. These reactions can disrupt office work and cause inconvenience. Therefore, the scan has been disabled for these types of devices.
IncludeTo scan for specific vulnerabilities, you can search and choose the category name, vulnerability name, or HID you are interested in. This allows you to customize your scan and focus on specific areas of concern.
Exclude
To exclude specific vulnerabilities in your scan, add them to the exclusion list. You can exclude single HIDs or entire categories.
Potential vulnerabilities
Include or exclude low-probability vulnerabilities in the scan results.
For a complete explanation, please refer to this article:
https://support.holmsecurity.com/hc/en-us/articles/360010562839-How-does-low-probability-tests-work-and-how-can-I-turn-them-off-
Stability
Skip tests that perform active break-in attempts
Read more about the potentially dangerous tests and tests that perform active break-in attempts in this article:
https://support.holmsecurity.com/knowledge/what-are-the-tests-that-perform-active-login-attempts
Skip tests that perform active login attempts
Read more about the tests that perform active login attempts in this article: https://support.holmsecurity.com/knowledge/what-are-the-tests-that-perform-active-login-attempts
Password brute forcing
If password brute forcing is enabled, the scan will attempt to log in using commonly used usernames and passwords for various services. You can find the list of these services here:
http://support.holmsecurity.com/hc/en-us/articles/115000454169/
Authentication
You can enter a new authentication record or choose an existing one for Windows and Linux/Unix. Notice that you can only have one authentication record per profile and operating system.
Linux/Unix authentication record
Authentication information
The authentication information will be the name you type in.
Name
Select a name.
Port
Type in if you want to use a specific port for your authentication. Otherwise, the standard port 22 will be used.
You can authenticate with a username, password, or private key. Type in your credentials, and you are done.
Windows authentication record
Authentication information
The authentication information will be the name you type in.
Name
Select a name.
Type in the credentials you would like to use for your authenticated scan.
Check "Use NTLM" if you use the NTLM protocol to authenticate your domains.
Read this for more information regarding authenticated network scans:
https://support.holmsecurity.com/knowledge/how-does-authenticated-networks-scans-work
Compliance
Enable this to use the scan profile for PCI DSS compliance scans.
By enabling the PCI DSS compliance tests, we will include the required areas for the framework in the scan and return the outcome in the results. All assets scanned with PCI compliance tests will automatically receive a PCI DSS tag that can not be removed later.
Performance
Scan intensity
This is a setting that changes the values for several different settings mentioned below. We recommend that you use medium intensity. Choosing Custom enables you to set each parameter manually.
Hosts to scan in parallel
The number of scans performed in parallel.
Total processes
The Maximum number of security checks that will be launched at the same time against each host.
Packet (burst) delay
The delay between sending out packages.
- Automatic (recommended)
Dynamically adjusted while the scan runs depends on network quality and speed-tested machine answers. - Minimum
10 ms delay. - Medium
100 ms delay. - Maximum
400 ms delay.