Set maximum scan duration per device

When scanning within a specified window of time, scan completion is a primary concern. In some environments, devices may be non-responsive or do not respond to scanning in a timely manner. As a result, the scan does not complete within the specified window.

Solution

You may now configure the Scan Engines within Nexpose to obey a per device maximum scan duration.

Recommendation

The objective of a vulnerability scan is to obtain visibility to the exposures on a given device. While Rapid7 understands the practical need for scan scheduling and scan windows, setting a per device maximum scan duration is not recommended because it obscures visibility to legitimate scanning obstacles. Implementation may result in false negatives and therefore a false sense of confidence in results.

Rapid7 recommends addressing long-running scan times directly through troubleshooting with the intent of understanding obstacles preventing visibility and efficient scan completion prior to enabling this capability.

IMPORTANT

Care should be taken when setting custom properties. If you are not familiar with custom properties we recommend contacting Rapid7 Support for assistance.

For the Local Scan Engine Within the Security Console

A custom property may be set within the Security Console:

  1. In your Security Console, click the Administration tab in your left navigation menu.
  2. In the "Maintenance, Storage and Troubleshooting" section, click Run next to the "Troubleshooting" label.
  3. To set a per device maximum scan duration, enter the following command in the provided field and click Execute:
1
set custom property com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit=1800000

In this example, 1800000 is a value in milliseconds, which is 30 minutes. 4. To confirm the per device maximum scan duration was set properly, execute the following command:

1
get property com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit

To remove the per device maximum scan duration and revert to unbound behavior, execute the following command:

1
delete custom property com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit

For Distributed Scan Engines

A custom property may be set on each distributed Scan Engine. Access the machine with SSH or your preferred method.

  1. Locate the CustomEnvironment.properties file within the Scan Engine installation folder. Here are the default installation locations:
    • LInux - /opt/rapid7/nexpose/nse
    • Windows - C:\Program Files\rapid7\nexpose\nse

TIP

If the CustomEnvironment.properties file does not exist, create it with a text editor.

  1. Add this property to the CustomEnvironment.properties file:
1
com.rapid7.nexpose.scanTargetMonitor.networkNode.timeLimit=1800000

In this example, 1800000 is a value in milliseconds, which is 30 minutes. 3. After configuring this property with your desired value, restart the Scan Engine service so the changes can take effect.