Endpoint Scan
Limitations of the Endpoint Scan
Rapid7 recommends using the Insight Agent instead of the Endpoint Scan. The Insight Agent collects real-time data, is capable of more detections, and allows you to use scheduled forensics. See the Insight Agent documentation for Insight Agent deployment instructions.
Use of the Endpoint Scan is limited in a few ways:
- You can edit existing IP ranges for the Endpoint Scan, but you can no longer add new ones.
- If you're a Managed Detection and Response (MDR) customer, you can't use the Endpoint Scan. Instead, you must install the Insight Agent on at least 80% of your endpoints to enable full-service monitoring (though, Rapid7 recommends installing the Insight Agent on every endpoint possible).
- The Endpoint Scan is available for Windows assets only.
The Endpoint Scan, or Scan Mode, can run an agentless scan that gathers data from endpoints once an hour alongside the Collector.
The Endpoint Scan collects the required data from assets that do not have the Insight Agent installed and immediately shuts down when the scan is complete.
Before you begin
Before you set up the Endpoint Scan, review the following sections:
Then you can configure the Endpoint Scan.
Requirements
Permission requirements include:
- The Endpoint Scan requires admin credentials. Prepare a Service Account with admin credentials in order to authenticate to the target endpoints for data collection.
- A user profile must be created on the designated endpoint(s) for the account being used to run the endpoint scan. The user must log onto the designated endpoint before the Endpoint Scan process takes place.
- In order to deploy multiple Endpoint Scans of the same OS type across a network, you must configure a host Collector for each domain with its own credentials.
Networking requirements include:
- The Endpoint Scan must be able to establish a WMI (Windows) with the endpoints.
- Endpoints must be able to initiate a connection back to the Collector on a port between 20,000–30,000.
- If you have a firewall or web proxy that restricts outgoing connections, you must grant permission for the Collector to connect to the backend servers. See Firewall Rules for specific information.
Review the Network Requirements to make sure the Endpoint Scan functions properly on your network. Note that when scanning the defined IP ranges, the Endpoint Scan cannot see systems that leave the network.
Install the Insight Agent for critical servers and remote endpoints
For critical servers and endpoints belonging to remote employees, you should install the Insight Agent to enable real-time streaming of events and assets off of the network.
Bandwidth impact
Once you enter an IP address or IP address range, the Collector starts a scan within minutes. Because a typical Collector scan takes between 30–60 minutes, the Endpoint Scan scans an asset only once every hour or once every 2 hours for a class C (/24) subnet.
For most environments, there is minimal or negligible bandwidth impact because the scanner enforces a 30-minute cool-down period between each scan.
IPs / CPU | Time between scans of each endpoint |
|---|---|
1–16,000 | 1 hour for each scan |
16,000–32,000 | 2.5 hours for each scan |
32,000–64,000 | 5–8 hours for each scan |
A single Collector can handle about 16,000 endpoints scanned for each CPU that it has available. You may split up the endpoint IP ranges over multiple Endpoint Scan scans. However, to avoid overlapping endpoint ranges, do not define an IP address or IP range on multiple Collectors.
Be cautious with /8 and /16 subnets or you may configure the Endpoint Scan to scan too many assets.
Low-bandwidth environments
For extremely low-bandwidth environments, the Endpoint Scan uses the following resources during a scan:
- Approximately 300KB for each asset for each scan to gather endpoint information
- An additional 10MB transfer for each scan to transfer data to the Collector
Configure the Endpoint Scan
When configuring the Endpoint Scan, you can edit only IP ranges that were previously specified. Adding new ranges is no longer supported.
To edit IP ranges for the Endpoint Scan:
- From the InsightIDR navigation, select Assets & Endpoints.
- Click the Endpoint Assets Scanned metric. The Endpoint Scan page displays, showing IP ranges that were added previously.
- Click the Pencil icon next to the IP range to edit. The Edit endpoint scan IP address range panel displays.
- In the panel, edit the IP range name or Credential. (You can't edit the IP range definition or the Collector name.)
- Click Update range. The panel closes and the IP range is updated in the table.
Ranges cannot be larger than CIDR /16
The Endpoint Scan range cannot be larger than CIDR /16, which is a maximum of 65,536 hosts. If possible, use the smallest range needed to cover your specific Endpoint Scan range. For individual assets, include /32 CIDR notation.
Asset data collection
The Endpoint Scan collects the following data from your assets and endpoints:
- Local user activity
- Windows logon activity
- Event log tampering
- Process hash identification
- Process commonality analysis
- Process malware analysis
However, the Endpoint Scan does not collect the following data:
- Forensic jobs
- Real-time or continuous collection
- Exploit mitigated
- Honey file accessed
- Local honey credential privilege escalation attempt
- Protocol poisoning detected
- Remote file execution detected
Troubleshooting
If you experience issues when using the Endpoint Scan, review the following solutions:
- Endpoints not returning logs during an Endpoint Scan
- Read Scan Log Results
- Error Codes
- Error 0x80041003
Endpoints not returning logs during an Endpoint Scan
If you do not see endpoints returning logs in their scans or from the Insight Agents, complete the following steps:
- Confirm that the expected ports are open and available. See Network Requirements for specific information.
- If you correctly configure the external firewall and web proxies, check a sample endpoint for agent log files in either of the following folders:
C:\Windows\Temp\C:\Users\IDR_service_account\AppData\Local\Temp\
- Find the Rapid7 folder and look for the following 3 files:
agent.logconfig.jsonpowershell.log
- Compress the files and send them to Rapid7 Support for review.
Read Endpoint Scan log results
At the end of each scan, the Endpoint Scan will report the results of the scan in the collector.log.
If you experience issues with the Endpoint Scan, you can review the log for errors by using the following command:
Error codes
Use the following table to determine what an error means in your scan log:
Error Code | Definition |
|---|---|
| There is no asset listening on the IP that was attempted. There may be a firewall blocking the connection, part of the network may be unreachable, or there are simply no assets running on that IP address. |
| An error code was received from the endpoint during attempted communication. |
| There was an attempt to connect to the endpoint but the attempt was denied. |
| A connection was established but no response was received. |
Error messages on the Endpoint Scan page
Many errors on the Endpoint Scan page are due to network interruptions that self-resolve. However, take note of the following errors:
- If you notice that an entire IP range is showing errors, there may be a networking issue.
- If a particular endpoint consistently shows the same error, you may have misconfigured that device or it is otherwise inaccessible.
Error 0x80041003
An endpoint returning error 0x80041003 means that the endpoint does not allow remote WMI queries.
To fix this error:
- On the endpoint, either run
wmimgmt, or go to Administrative Tools > Computer Management. The WMI Control Panel appears. - On the left panel, right click WMI Control (Local) > Properties.
- Select the Security tab.
- Expand the Root folder and select the CIMV2 option.
- Click Security to display the ROOT\CIMV2 security and add the credential you configured in the Endpoint Scan.
- Be sure to grant the following permissions to the newly added credential:
- Execute Methods
- Enable Account
- Remote Enable