Any option to limit max. scan duration? [Case Update]

david_altanian · March 26, 2024, 3:50pm

Update (28.03.2024): I have raised a support case (Idea Case)

Hello everyone,
I have a short question. Is there a way to limit the maximum scan duration on one asset? During my weekly scans, I sometimes encounter situations where my scheduled scans cannot finish in time because only one out of over 3000 scanned assets fails to complete, even after waiting for over 3 hours. Typically, this issue arises with Windows 10 clients, likely because these specific assets were shut down and went offline during the scan. In my opinion, it would be helpful if I could set a maximum scan duration, allowing the scanner to move on if a scan cannot be completed within, let’s say, a maximum of 2 hours.

Has anyone else experienced similar behavior, and how do you address this issue on your end?

Best regards,
David

Reply from Rapid7 on my support case:

Your Rapid7 support case “Idea - Enhance Scan Duration Control for Individual Assets”, case #06694960, has been updated with the following information:

Hello David,

Thank you for contacting the Rapid7 Support Team. My name is Vince and I will be assisting you today.

An internal ticket has been logged for this feature request and it is now with Rapid7 Product Management. Rapid7 Product Management considers all submitted requests for enhancement and selectively provides detailed reviews and feedback.

Not every enhancement request is technically feasible, suitable for all customers, or consistent with the experience Rapid7 aims to deliver. Accordingly, Rapid7 makes no commitment to implement enhancement requests. I will archive this issue as an enhancement request filed and we will reach out if we require any further information. No ETA has been given at this stage.

This message is to confirm that we have moved your request into ‘Closed - Enhancement Request Filed’ status and it is now with Rapid7 Product Management. Your case will now be closed and keep you posted on any updates once available.

We will reach out if we require any further information. If you require an update on your feedback at any time or if your business impact changes with regard to this, please contact your Customer Success Manager.

brandon_mcclure · March 26, 2024, 5:09pm

Have you looked at the scan template that you are using?
There are a bunch of options in there that have performance impacts.
During a health check they reviewed these with us, I’d recommend getting one of those scheduled.

mmur_gt4e · March 27, 2024, 12:35pm

I don´t thinks there is a solution for just one asset onto an specific site. Just for the total site scan.

david_altanian · March 27, 2024, 12:51pm

Yes, I have already looked into the scan template and searched for a global setting, but I could not find any useful setting.

david_altanian · March 27, 2024, 1:05pm

Yea, I need a global solution and just for one specific asset.

rgetteau1 · March 27, 2024, 5:12pm

It’s frustrating. I have one site in particular where scans will hang up on different assets and the scan will run for days if I let it. I had to change that scan to pause after 24 hours and then I have to go in to the console and manually stop the scan. Tenable has an option in the scan config that basically says if a scan has been running for more than X amount of time on an IP to consider it dead and move on. Rapid7 needs the same thing.

david_altanian · March 28, 2024, 7:16am

That is precisely the option that should be added to the scan configuration template . Since we also have Microsoft Defender on all Windows 10 clients , I can at least check the vulnerabilities using the Microsoft Defender console for the specific clients that got stuck during the scan process. I will raise a feature request.

landon_dalke1 · March 28, 2024, 3:51pm

I also highly recommend looking into Scan Assistant. It will enable local scanning on the assets which i’ve found greatly speeds up those one off assets that take forever to complete. Using the Scan Assistant | InsightVM Documentation

ChiefExceptionOfficer · April 1, 2024, 5:41pm

This is a really good idea. We also have some particular assets that take forever to scan, and with 10s of thousands of assets I don’t have the bandwidth to troubleshoot each one. If a server or printer is taking 4 hours to scan that is an obvious indicator something has gone wrong.

There should be an option in the scan template to abort scanning a particular asset after X amount of minutes or hours. A per-asset max scan duration.

Hear us mysterious product team! We don’t need CIS template updates, we need quality of life improvements in the tool!

david_altanian · April 2, 2024, 6:08am

I hope that my support case or idea will be promptly reviewed and implemented by the development team. I share the same opinion as you that policy updates do not greatly interest me, as we rarely use policy scans. However, we have transitioned from monthly global scans to weekly scans and are therefore more interested in improving scan performance. Let’s see… I will add any updates to my initial post.

bb17622 · April 3, 2024, 5:45pm

Have you tried using the Duration option while setting Schedule for a Scan. If the duration is set in schedule, the scan will stop upon reaching the set duration. Scan can be resumed during the next scan cycle,

david_altanian · April 5, 2024, 6:03am

Yes, I have set a max. duration on all my scan sites. However, I think there should also be an option to set a max. scan time on an asset.

david_altanian · April 23, 2024, 10:49am

Hello everyone,
I have an example from todays scan.
ScanProgress
As you can see, this scan site is very small and has only around 85-90 assets. The scan is nearly finished; only one asset is pending.
ScanProgress2
Something is interrupting the scan progress on this asset, and there is no option to counter such scan behavior other than to stop the whole scan. Which I am going to do, since I can live with that if I don’t have the latest vulnerabilities from this system (it is not in a critical environment).

brandon_mcclure · April 23, 2024, 12:33pm

What are your setting for the template?

dave_callan · April 24, 2024, 4:25am

I’m seeing this kind of thing too. Support has recommended changing some performance settings in the template (which I will do as time permits), but if there are only a small proportion of assets that are slow (and they change each time) while the majority of assets in the scan progress at the expected speed. So I’m doubting any template settings are the culprit.

It would be handy to just skip any that aren’t scanning properly.

Would also be handy if the “scan duration” field showed the duration for each asset once the scan was complete rather than showing the total scan time of all assets so you’d know which ones were taking a long time without having to sit and watch the entire scan.

david_altanian · April 24, 2024, 5:58am

These are my settings. But i think this would not solve my problem. The overall scan performance is great. I can scan the whole company within one day (14hours). But tanks for providing the screenshot. I will adjust my template accordingly. Maybe it will further improve the overall scan performance, which is a good thing.
ScanTemplate

david_altanian · April 24, 2024, 6:04am

This is precisely my issue: when I have a scanning site with 3000 assets, and 2999 assets are scanned between 10 to 20 minutes each on average, but only one asset is not in the mood to be scanned, then the entire scan site is blocked and will not finish (unless I manually stop the scan). And it is not always the same asset.

This is also a very good idea.