Agent + Scan Engine fails on Windows

Hiya.

We are running into a situation where on Windows systems of all flavors, if we have the agent installed and running and also a remote scan running against the asset, the vulnerability data the agent collected is dropped and the scan engine logs only externally visible vulnerability data (e.g. TLS handshake issues). The OS for the asset also changes from the correct one detected by the agent to a generic “Microsoft Windows”

We’ve been working around this by just not scanning anything with the agent, but we’d like to be able to use both so we can do adhoc scanning as necessary.

We have asset correlation enabled and also the “do not repeat checks the agent run” option enabled.

Has anyone else run into this and/or have any pointers?

hello, I have def seen this before. the agent reports in correctly but when the scan runs nmap reports it incorrectly. causes some issues for sure. I would be interested in what we can to do fix this.

Do you have the “Enable Windows services during a scan” enabled? Also, credentials with appropriate permissions on the windows devices configured in the site(s)?

Yes to both.

Okay, another issue I ran into with some of our Windows endpoints was our endpoint protection would react to the scanning and would temporarily block any communication inbound from the engine, effectively stopping the scan on the asset before it could really even start. We got around this with some specific exceptions to the endpoint protection to allow/ignore the scan engine activity when it came from the engines.

The last thing I can think of would check that your endpoint’s firewall rules to make sure that inbound connections from engines are being allowed or not blocked like CIFS(tcp/445), at least for the IP(s) of
the scan engines, as well as any hardening settings controlling remote connections to the endpoint.

You can create a separate site for ad hoc scanning without the agent exclusions and scan schedule. Then use that site for scans.

You can create a separate site for ad hoc scanning without the agent exclusions and scan schedule. Then use that site for scans.

We did try this and we still experience the problem.