Using the Scan Assistant

The Scan Assistant achieves the same results as a credential scan without the need for administrative credential management and provides accurate, granular vulnerability fingerprinting and assessment for assets. The Scan Assistant allows the Scan Engine to connect directly to an endpoint in order to collect data without the need for additional credentials. A secure connection is created between the Scan Engine and the Scan Assistant by using elliptic curve asymmetric encryption (ECDSA) and advanced encryption standard (AES).

Once installed, the Scan Assistant provides Registry and File System services on the local asset and only runs when scans are performed.

Supported Windows Platforms

The Scan Assistant supports the following platforms.

• Windows 7
• Windows 7 SP1
• Windows 8.1
• Windows 10
• Windows 11
• Windows Server 2008 R2
• Windows Server 2008 R2 SP1
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Resource Utilization

The Scan Assistant will occupy approximately 20MB in memory. It will consume 0% CPU when idle. CPU utilization can range from 2.5% to 6% when the Scan Assistant is active, for a duration of 60 to 120 seconds while a scan is completed.

Why should I use the Scan Assistant?

The Scan Assistant provides a more secure way to scan your assets, removes the need for administrative credential management, consumes much fewer resources, and significantly decreases the time to complete for policy scans.

When Should I Use the Scan Assistant?

The Scan Assistant provides an additional tool that Nexpose and InsightVM administrators can leverage to expand and extend enterprise vulnerability coverage. It is complementary to the Insight Agent, and compatible with the InsightVM cloud platform, but does not require cloud connectivity. The Scan Assistant provides an ideal solution for the following vulnerability coverage scenarios:

Scan Assistant Deployment Overview

To setup the Scan Assistant, perform the following steps:

1. Download the Scan Assistant software (.MSI) and the Checksum (SHA512 file).
2. Create and deploy X.509 digital certificates, that will be used to establish a trusted connection between the Scan Engine and scanned assets:
   1. A Public Key (PEM) is added with the Scan Assistant software and to all supported target assets as part of the installation.
      1. Microsoft Standard Installer (Msiexec.exe) is used to install the Scan Assistant software .MSI and one line PEM file with the /i command line parameter. Additional command line parameters can be seen by running Msiexec.exe, or found in Microsoft’s documentation. This information may prove useful in creating automated installation scripts.
   2. A Private Key(included in a PKCS12 file) is added to the Security Console as a scan credential.
3. Configure and schedule scans for Sites with assets that have the Scan Assistant installed.

During a scan, a Scan Engine with access to the private key (scan credential) will authenticate to an asset running Scan Assistant with the public certificate. The Scan Engine communicates with the Scan Assistant using TLSv1.2 and connects to port 21047 (TCP) on each asset.

Asset Configuration Details

When installed, the Scan Assistant automatically configures the required parameters on the asset. It adds itself as a service that starts automatically and adds itself to the Windows firewall, listening on TCP port 21047. It also adds itself as an event source to the Windows eventlog and supports audit logging when required. When uninstalled, the Scan Assistant removes all changes made to the asset.

The following table shows additional Windows asset configuration.

Asset deployment Notes

When the Scan Assistant is used, the following configurations and services that may have been required on the target Windows assets to enable traditional credentialed scans are no longer needed:

• Remote access to an Administrative account
• Remote access to built-in Windows services
• Enable the Windows Registry services
• Enable the WMI service
• Enable the WinRM service
• Enable File & Print sharing, or equivalent services

Installing the Scan Assistant

1. Download the Windows Installer and Checksum

Before setting up the Scan Assistant, you must download the MSI and checksum. The Scan Assistant currently only supports Windows installs.

2. Add port to Service Discovery and Asset Discovery

You must add TCP port 21047 to both Service Discovery and Asset Discovery for all scan templates before setting up the Scan Assistant.

3. Generate the Scan Assistant Credentials

You can automatically generate the Scan Assistant credentials in the InsightVM Console. When generating new Scan Assistant credentials, previous credentials are not automatically deleted. You can set up automatic certificate rotation or delete your old credentials.

1. From the Administration tab, under Shared Credentials, click Create.
2. On the General tab, enter a unique name and description.
3. On the Account tab, in the Service field, select Scan Assistant.
4. Select the Generate checkbox. By selecting this checkbox, your scan credentials are automatically generated once the credential is saved.
5. On the Site Assignment tab, specify what sites can use the credential.
   • To allow all sites to access the credential, select Assign these credentials to all current and future sites.
   • To select a specific set of sites to access the credential, click Select Sites, select the sites you want to allow to use the credential, and click Add Sites.
6. Click Save. You are redirected back to the Administration page.
7. Under Shared Credentials, click manage.
8. Click Edit on your newly created Scan Assistant shared credential.
9. Copy the automatically generated PEM file.

4. Install the Scan Assistant on Windows

Automatic Certificate Rotation

In the Scan Assistant template, you can automatically rotate your Scan Assistant certificate.. When you enable certificate rotation, InsightVM automatically attempts to update the Scan Assistant to use the available credential with the latest expiration date.

You can not explicitly set the expiration date for certificates that are automatically generated from the Security Console. The default validity period for certificates is three years, so the most recent certificate added will have the longest validity period. To enable the certificate rotation, you will need to create a new certificate pair from the Security Console according to your IT Security policy for digital certificate or credential rotation.

Rapid7 recommends deleting the oldest certificate every 3rd new certificate. Keep in mind that this recommendation is not necessarily the timeframe but in accordance with your internal certificate rotation policy.. The frequency of rotation is usually set by your IT Security Policy. You may choose to rotate the certificates in accordance with your Security Policy before they expire.

Scan Assistant Software Updates

When you enable automatic updates, InsightVM updates the Scan Assistant with the latest installation, when available. Automatic updates are available for the Scan Assistant versions 1.1.0 and later.

1. Select the Administration tab
2. Under Templates, click Create.
3. Select the Rotate Certificates checkbox, to automatically rotate your Scan Assistant certificates.
4. Select the Apply Updates checkbox, to automatically apply the latest updates.
5. Click Save.

For optimal scan performance with the Scan Assistant, Rapid7 recommends selecting either the Automatic Certificate Rotation or the Scan Assistant Software Updates feature, but not both in the same scan template. Enabling both features in the same scan template affects the scan performance issues when a Scan Assistant update or Credential rotation occurs.

How to uninstall the Scan Assistant from a Windows asset

Command line

You can uninstall the Scan Assistant from a Windows asset by utilizing the command line.

The Windows Scan Assistant ships as an .msi file and uses the standard Microsoft Windows installer, msiexec.exe. Refer to Microsoft’s documentation to view all the listed command line options. Also, you can see the command line options by running msiexec from a CMD prompt on a Windows Machine.

UI

You can also uninstall the Scan Assistant from a Windows asset from Windows Explorer and the add or remove programs applet.

Windows Explorer

If you are at the keyboard of the Windows asset, you can use Windows Explorer to uninstall Microsoft Windows.

1. Navigate to ScanAssistantInstaller.msi.

The location of the ScanAssistantInstaller will be based on the folder or directory you chose to place it in.

2. Right click on the .msi and select Uninstall.

Programs applet

You can uninstall the Scan Assistant from the add or remove programs applet. On Windows 10, if you search for Add in the Windows search bar, you will see the add or remove programs applet.

Mass deployment

Users may utilize the following tools to automate mass uninstalls of the Scan Assistant:

• Microsoft SCCM (System Center Configuration Manager
• Microsoft GPO (Group Policy Orchestrator)
• HCL BigFix

Documentation for each tool set is available from the respective vendor.

Frequently Asked Questions

 
1
$mypassword = ConvertTo-SecureString -String "PASSWORD" -Force -AsPlainText
2
Export-PfxCertificate -Cert Cert:\LocalMachine\My\THUMBPRINT -FilePath scan-assistant.pfx -Password $mypassword

 
1
$oMachineCert=Get-Item Cert:\LocalMachine\My\THUMBPRINT
2
$InsertLineBreaks=0
3
$oPem=new-object System.Text.StringBuilder
4
$oPem.Append("-----BEGIN CERTIFICATE----- ")
5
$oPem.Append([System.Convert]::ToBase64String($oMachineCert.RawData, $InsertLineBreaks))
6
$oPem.Append(" -----END CERTIFICATE-----")
7
$oPem.ToString()

 
1
Remove-Item -Path cert:\LocalMachine\My\581C1CA18731790790CF7392DC3510CFA5382BBD -DeleteKey
2

3
Remove-Item -Path cert:\LocalMachine\My\THUMBPRINT -DeleteKey