Any option to limit max. scan duration? [Case Update]

Update (28.03.2024): I have raised a support case (Idea Case)

Hello everyone,
I have a short question. Is there a way to limit the maximum scan duration on one asset? During my weekly scans, I sometimes encounter situations where my scheduled scans cannot finish in time because only one out of over 3000 scanned assets fails to complete, even after waiting for over 3 hours. Typically, this issue arises with Windows 10 clients, likely because these specific assets were shut down and went offline during the scan. In my opinion, it would be helpful if I could set a maximum scan duration, allowing the scanner to move on if a scan cannot be completed within, letā€™s say, a maximum of 2 hours.

Has anyone else experienced similar behavior, and how do you address this issue on your end?

Best regards,
David


Reply from Rapid7 on my support case:

Your Rapid7 support case ā€œIdea - Enhance Scan Duration Control for Individual Assetsā€, case #06694960, has been updated with the following information:

Hello David,

Thank you for contacting the Rapid7 Support Team. My name is Vince and I will be assisting you today.

An internal ticket has been logged for this feature request and it is now with Rapid7 Product Management. Rapid7 Product Management considers all submitted requests for enhancement and selectively provides detailed reviews and feedback.

Not every enhancement request is technically feasible, suitable for all customers, or consistent with the experience Rapid7 aims to deliver. Accordingly, Rapid7 makes no commitment to implement enhancement requests. I will archive this issue as an enhancement request filed and we will reach out if we require any further information. No ETA has been given at this stage.

This message is to confirm that we have moved your request into ā€˜Closed - Enhancement Request Filedā€™ status and it is now with Rapid7 Product Management. Your case will now be closed and keep you posted on any updates once available.

We will reach out if we require any further information. If you require an update on your feedback at any time or if your business impact changes with regard to this, please contact your Customer Success Manager.

Have you looked at the scan template that you are using?
There are a bunch of options in there that have performance impacts.
During a health check they reviewed these with us, Iā€™d recommend getting one of those scheduled.

I donĀ“t thinks there is a solution for just one asset onto an specific site. Just for the total site scan.

Yes, I have already looked into the scan template and searched for a global setting, but I could not find any useful setting.

Yea, I need a global solution and just for one specific asset. :slight_smile:

Itā€™s frustrating. I have one site in particular where scans will hang up on different assets and the scan will run for days if I let it. I had to change that scan to pause after 24 hours and then I have to go in to the console and manually stop the scan. Tenable has an option in the scan config that basically says if a scan has been running for more than X amount of time on an IP to consider it dead and move on. Rapid7 needs the same thing.

2 Likes

That is precisely the option that should be added to the scan configuration template . Since we also have Microsoft Defender on all Windows 10 clients , I can at least check the vulnerabilities using the Microsoft Defender console for the specific clients that got stuck during the scan process. I will raise a feature request.

I also highly recommend looking into Scan Assistant. It will enable local scanning on the assets which iā€™ve found greatly speeds up those one off assets that take forever to complete. Using the Scan Assistant | InsightVM Documentation

This is a really good idea. We also have some particular assets that take forever to scan, and with 10s of thousands of assets I donā€™t have the bandwidth to troubleshoot each one. If a server or printer is taking 4 hours to scan that is an obvious indicator something has gone wrong.

There should be an option in the scan template to abort scanning a particular asset after X amount of minutes or hours. A per-asset max scan duration.

Hear us mysterious product team! We donā€™t need CIS template updates, we need quality of life improvements in the tool!

1 Like

I hope that my support case or idea will be promptly reviewed and implemented by the development team. I share the same opinion as you that policy updates do not greatly interest me, as we rarely use policy scans. However, we have transitioned from monthly global scans to weekly scans and are therefore more interested in improving scan performance. Letā€™s seeā€¦ I will add any updates to my initial post.

1 Like

Have you tried using the Duration option while setting Schedule for a Scan. If the duration is set in schedule, the scan will stop upon reaching the set duration. Scan can be resumed during the next scan cycle,

Yes, I have set a max. duration on all my scan sites. However, I think there should also be an option to set a max. scan time on an asset.

1 Like

Hello everyone,
I have an example from todays scan.
ScanProgress
As you can see, this scan site is very small and has only around 85-90 assets. The scan is nearly finished; only one asset is pending.
ScanProgress2
Something is interrupting the scan progress on this asset, and there is no option to counter such scan behavior other than to stop the whole scan. Which I am going to do, since I can live with that if I donā€™t have the latest vulnerabilities from this system (it is not in a critical environment).

What are your setting for the template?
image

Iā€™m seeing this kind of thing too. Support has recommended changing some performance settings in the template (which I will do as time permits), but if there are only a small proportion of assets that are slow (and they change each time) while the majority of assets in the scan progress at the expected speed. So Iā€™m doubting any template settings are the culprit.

It would be handy to just skip any that arenā€™t scanning properly.

Would also be handy if the ā€œscan durationā€ field showed the duration for each asset once the scan was complete rather than showing the total scan time of all assets so youā€™d know which ones were taking a long time without having to sit and watch the entire scan.

1 Like

These are my settings. But i think this would not solve my problem. The overall scan performance is great. I can scan the whole company within one day (14hours). But tanks for providing the screenshot. I will adjust my template accordingly. Maybe it will further improve the overall scan performance, which is a good thing.
ScanTemplate

This is precisely my issue: when I have a scanning site with 3000 assets, and 2999 assets are scanned between 10 to 20 minutes each on average, but only one asset is not in the mood to be scanned, then the entire scan site is blocked and will not finish (unless I manually stop the scan). And it is not always the same asset.

This is also a very good idea.

1 Like

Have you thought about deploying the InsightAgent to supported systems, such as Windows 10, and then excluding the agent group from remote authenticated scans? Obviously thereā€™s nuance to every environment, but this way it limits your RAS to only systems that dont support an agent. The InsightAgent really eliminates these types of issues for supported OSes. It has made a world of difference in our environment.

Hi @john_woodling,
I forgot to send my replay 5 months ago :slight_smile: :man_facepalming:
We exclusively utilize the Insight Agents on Windows 10 clients in our remote locations that are not directly connected to our corporate network. Additionally, we deploy them on servers that are not domain-joined and on virtual servers/clients in our Azure cloud. The reason behind this approach is that Microsoft Defender is active on all Windows 10 clients and an increasing number of servers in our corporate network. The use of another agent is not preferred, as there are concerns that it might cause operational issues. As part of our second line of defense, we conduct network scans to verify whether the first line of defense (including Patch Management and Configuration Management) is effectively fulfilling its responsibilities.

Currently I have the same issue again with a scan. 2300 assets were already scanned, but only one asset got stucked.
image
image

There is no way to set up a limit for the scanner to skip an asset if the scan takes longer than, letā€™s say, one hour. I am also unable to manually stop the scan on just this asset. The only option I have is to manually stop the entire scan. This is acceptable for now, as the results of the finished assets are already in the bucket. However, I believe this needs to be fixed, and I will have to wait until my feature request receives attention. :sweat_smile:

Thats really obnoxious. I hope they are able to fulfill your request, but I feel like they are really moving towards an agent based approach for anything that can have an agent on it.

I know you have ā€œagent fatigueā€ but I have had very little issues with the Rapid7 Agent on systems personally, if anything it actually reduced system resource impact and time from remote authenticated scans. It can take some tuning like defender policies, but honestly it feels like it would be worth your time so you dont have to chase down bum scans.

1 Like