Running a manual scan
Start a manual scan for a site
Scans inspect potential points of exploitation on a site or network to identify possible security risks. While the scheduled scan feature should be utilized for regular site monitoring there are some situations where you may want to perform a manual scan outside of your regular scan cadence. Running an unscheduled scan at any given time may be necessary in various situations, such as when you want to assess your network for a new zero-day vulnerability or to verify a patch for that same vulnerability. This section provides guidance for starting a manual scan and for useful actions you can take while a scan is running. To start a manual scan for a site:
- Navigate to the Home page.
- Click the Scan icon for a given site in the Site Listing table.
Start a manual scan for a single asset
Scanning a single asset at any given time can be useful. For example, a given asset may contain sensitive data, and you may want to find out right away if it is exposed with a zero-day vulnerability. To scan a single asset:
- Navigate to the relevant page for a single asset by clicking on it from any Assets table on a site page or asset group page.
- Click the Scan asset now button that appears below the asset information panel.
How scanning a single asset works with asset linking
With asset linking enabled, an asset in multiple sites is regarded as a single entity. See Linking assets across sites for more information. If asset linking has been enabled in your Nexpose deployment, be aware of how it affects the scanning of individual assets.
Asset linking and site permissions
With asset linking, an asset will be updated with scan data in every site. This occurs regardless of if you are running a scan that does not have access to one of the sites to which an asset belongs.
Asset Linking Site Permission Example
A user wants to scan a single asset that belongs to two sites, Los Angeles and Belfast. This user has access to the Los Angeles site, but not the Belfast site. Through asset linking the scan will still update the asset in the Belfast site.
Asset linking and blackouts
Blackouts are scheduled periods in which scans are prevented from running. With asset linking enabled, if you attempt to scan an asset that belongs to any site with a blackout currently in effect, the Security Console displays a warning and prevents the scan from starting. If you are a Global Administrator, you can override the blackout.
Change settings for a manual scan
When you start a manual scan, the Security Console displays the Start New Scan dialog box.
In the Manual Scan Targets area, select either the option to scan all assets within the scope of a site, or to specify certain target assets. Specifying the latter is useful if you want to scan a particular asset as soon as possible, for example, to check for critical vulnerabilities or verify a patch installation.
Specify address or range when manually scanning assets.
You can only manually scan assets that were specified as addresses or in a range.
If you select the option to scan specific assets, enter their IP addresses or host names in the text box. Refer to the lists of included and excluded assets for the IP addresses and host names. You can copy and paste the addresses.
Scanning Amazon Web Services.
If you are scanning Amazon Web Services (AWS) instances, and if your Security Console and Scan Engine are located outside the AWS network, you do not have the option to manually specify assets to scan. See Inside or outside the AWS network?.
Several configuration settings can expand your scanning options:
- If you are scanning a single asset that belongs to multiple sites, you can select a specific site to scan it in. This can be useful in situations such as verification of a Patch Tuesday update on a Windows asset.
- You can use a scan template other than the one assigned for the selected site. If, for example, you've addressed an issue that causes the asset to fail a PCI scan, you can apply the appropriate PCI template and confirm that the issue has been corrected.
- If you are scanning a site, you can use a Scan Engine other than the one assigned for the site. If you know that the currently assigned engine is in use, you can switch to a free one. Or you can change the perspective with which you will "see" the asset. For example, if the currently assigned engine is a Rapid7 Hosted engine, which provides an "outsider" view of your network, you can switch to a distributed engine located behind the firewall for an interior view.
Click the Start Now button to begin the scan immediately. When the scan starts, the Security Console displays a status page for the scan, which will display more information as the scan continues.
You cannot start multiple simultaneous full site scans.
You can start as many manual scans as you want. However, if you have manually started a scan of all assets in a site, or if a full site scan has been automatically started by the scheduler, the application will not permit you to run another full site scan.
Monitor the progress and status of a scan
View scan progress
When a scan starts, you can keep track of how long it has been running and the estimated time remaining for it to complete. You can even see how long it takes for the scan to complete on an individual asset. These metrics can be useful to help you anticipate whether a scan is likely to complete within an allotted window.
You also can view the assets and vulnerabilities that the in-progress scan is discovering if you are scanning with any of the following configurations:
- Distributed Scan Engines (if the Security Console is configured to retrieve incremental scan results)
- Local Scan Engine (which is bundled with the Security Console)
If your scan includes asset groups and more than one Scan Engine is used, the table will list a count of Scan Engines used. Viewing these discovery results can be helpful in monitoring the security of critical assets or determining if, for example, an asset has a zero-day vulnerability.
To view the progress of a scan:
- Locate the Site Listing table on the Home page.
- In the table, locate the site that is being scanned.
- In the Status column, click the Scan in progress link.
You will also find progress links in the Site Listing table on the Sites page or the Current Scan Listing table on the page for the site that is being scanned.
When you click the progress link in any of these locations, the Security Console displays a progress page for the scan.
Scan Progress Table
At the top of the page, the Scan Progress table shows the scan’s current status, start date and time, elapsed time, estimated remaining time to complete, and total discovered vulnerabilities. It lists the number of assets that have been discovered, as well as the following asset information:
- Active assets are those that are currently being scanned for vulnerabilities.
- Completed assets are those that have been scanned for vulnerabilities.
- Pending assets are those that have been discovered, but not yet scanned for vulnerabilities.
These values appear below a progress bar that indicates the percentage of completed assets. The bar is helpful for tracking progress at a glance and estimating how long the remainder of the scan will take.
You can click the icon for the scan log to view detailed information about scan events. For more information, see Viewing the scan log.
The Completed Assets table lists assets for which scanning completed successfully, failed due to an error, or was stopped by a user. The New Vulnerabilities and Remediated Vulnerabilities columns in the table reveal the count of newly discovered and remediated vulnerabilities for each asset for all scans after November 30, 2022.
The Incomplete Assets table lists assets for which the scan is pending, in progress, or has been paused by a user. Additionally, any assets that could not be completely scanned because they went offline during the scan are marked Incomplete when the entire scan job completes.
Duplicate Scan Entries
If a scan failed to complete and restarted, you may temporarily see duplicate entries for the same scan - one for the failed attempt and another for the new scan that has yet to complete.
These tables list every asset's fingerprinted operating system (if available), the number of vulnerabilities discovered on it, and its scan duration and status. You can click the address or name link for any asset to view more details about, such as all the specific vulnerabilities discovered on it.
The table refreshes throughout the scan with every change in status. You can disable the automatic refresh by clicking the icon at the bottom of the table. This may be desirable with scans of large environments because the constant refresh can be a distraction.
Pause, resume, and stop a scan
If you are a user with appropriate site permissions, you can pause, resume or stop manual scans and scans that have been started automatically by the application scheduler.
You can pause, resume, or stop scans in several areas:
- The Home page
- The Sites page
- The page for the site that is being scanned
- The page for the actual scan
- Click the Pause icon for the scan on the Home, Sites, or specific site page.
- Click OK to confirm that you want to pause the scan.
- To resume a paused scan, click the Resume icon for the scan on the Home, Sites, or specific site page; or click the Resume Scan button on the specific scan page.
- Click OK to confirm that you want to resume the paused scan.
- Click the Stop icon for the scan on the Home, Sites, or specific site page.
- Click OK to confirm.
The stop operation may take 30 seconds or more to complete pending any in-progress scan activity.
View history for all scans
You can quickly browse the scan history for your entire deployment by seeing the Scan History page.
From the Administration page, click the view link for Scan History.
The interface displays the Scan History page, which lists all scans, plus who started or restarted the scan, the total number of scanned assets, discovered vulnerabilities, and other information pertaining to each scan. You can click the date link in the Completed column to view details about any scan.
You can download the log for any scan as discussed in the preceding topic.