Set maximum scan duration per device
When scanning within a specified window of time, scan completion is a primary concern. In some environments, devices may be non-responsive or do not respond to scanning in a timely manner. As a result, the scan does not complete within the specified window.
You may now configure the Scan Engines within InsightVM to obey a per device maximum scan duration.
The objective of a vulnerability scan is to obtain visibility to the exposures on a given device. While Rapid7 understands the practical need for scan scheduling and scan windows, setting a per device maximum scan duration is not recommended because it obscures visibility to legitimate scanning obstacles. Implementation may result in false negatives and therefore a false sense of confidence in results.
Rapid7 recommends addressing long-running scan times directly through troubleshooting with the intent of understanding obstacles preventing visibility and efficient scan completion prior to enabling this capability.
Care should be taken when setting custom properties. If you are not familiar with custom properties we recommend contacting Rapid7 Support for assistance.
For the Local Scan Engine Within the Security Console
A custom property may be set within the Security Console:
- In your Security Console, click the Administration tab in your left navigation menu.
- In the "Maintenance, Storage and Troubleshooting" section, click Run next to the "Troubleshooting" label.
- To set a per device maximum scan duration, enter the following command in the provided field and click Execute:
1set custom property com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit=1800000
In this example, 1800000 is a value in milliseconds, which is 30 minutes. 4. To confirm the per device maximum scan duration was set properly, execute the following command:
1get property com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit
To remove the per device maximum scan duration and revert to unbound behavior, execute the following command:
1delete custom property com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit
For Distributed Scan Engines
A custom property may be set on each distributed Scan Engine. Access the machine with SSH or your preferred method.
- Locate the
CustomEnvironment.propertiesfile within the Scan Engine installation folder. Here are the default installation locations:
- LInux -
- Windows -
- LInux -
CustomEnvironment.properties file does not exist, create it with a text editor.
- Add this property to the
In this example, 1800000 is a value in milliseconds, which is 30 minutes. 3. After configuring this property with your desired value, restart the Scan Engine service so the changes can take effect.