Are you scanning your workstations with agents?

Anyone doing authenticated vulnerability scans in addition to already having the agent on them? Is there truly an advantage of this? We would prefer to not have a windows service account access to all of our workstations/servers if it doesn’t bring much value.

Also, for vulnerabilities found, if you are scanning and have the agent, is there any way to identify if the vulnerability was discovered via agent versus a scan?

I have been looking into using Agents more and was told the re is a way to corollate the data. But there are certain checks that the agent cannot do e.g. default credentials or certain http checks, that you still need to do scans to check for. So I plan on using Agents to enhance my scanning not replace it

We have been utilizing the agent as well. Although some people think it’s a replacement; we were informed after we initiated a project that the agent only does local checks whereas the actual scan does both local and remote checks. It’s really good for people that cant maintain their credentials but all my reports are showing credentials failed because people have deactivated their creds because the agent is running and manual scans are still taking place ( so if you guys figure out a resolution please let me know; i think i’m going to hav eto separate the servers running an agent from scans for now or my reports get reported which are false positives) frustrating. So I agree with @brandon_mcclure don’t replace just use the agent to enhance scanning.

That’s true, you cannot replace InsightVM agent completely but it does help a lot.

  1. The insightvm agent is light and does report back more often than you would do with a network scan.
  2. Network scan is more efficient with agents. If you enable complementary scanning, the network scan will detect the agent and will skip checks that were already performed by the agent.

But that’s true that some vulnerabilities and checks needs to be done from network scan’s. Furthermore, remote/network scan are always made available faster during a zero day (Log4J, Spring4Shell)…

-Sylvain

1 Like

We use the Agents extensively as common service logins across our environment are not possible. We also scan all known networks with remote scans and they provide some additional information, but correlation can be tricky at times and we’ll wind up with duplicate devices. We use the network scan primarily for discovery and on devices we can’t load agents on.

Have you looked into the newer Scan Assistant?

We have and are currently trialing it on devices across the network.

No because we deploy the agent to everything. It looks like it returns mostly the same results as an agent but is intended for devices without internet access

It has a very beneficial use of not passing credentials for authenticated scans across the network. There are specific checks that the agent cannot do, like default credential checks or some of the other ingress checks, so either a Scan or Scan Assistant is still needed. I would not trust the agent alone without doing some kind of scan also.

Does it actually perform ingress checks? The documentation does not say it does. The docs lead you to think it only returns what an agent would.

I hope someone from Rapid7 can chime in with this. I haven’t actually deployed a Scan Assistant yet, only looking at using them and I assumed that it scanned the same as my traditional scanning without my issues with credential management.

I myself never thought about separating them out, don’t see a need to. I have been using both as long as I have had it running. Agents and authenticated scans can operate differently and get different info. Also faster, if there is an emergency situation because of recent attack like Microsoft Exchange ProxyLogon vulnerabilities and Log4Shell CVE-2021-44228 you may not want to wait for the authenticated scans to run.

The agent is right there and can scan for that new vulnerability. Rapid7 is moving more towards the agent and away from the authenticated scans.

Agent gives you real-time actioanble data which is critical in our business, right?

Plus, when you use Rapid7’s Insight Agent, credentialed scans aren’t even necessary. Keeps you from risking exposure of a privileged account password hash to a malicious actor. Rapid7’s Insight Agent automatically collects data from your endpoints—even those from remote workers who rarely join the corporate network.

We are using our agents on all our endpoints to retrieve most results from our endpoints.

Then we do network scans to check for the vulnerabilities that the agent can’t check.

Depending on if it is one of our user segments or one of our server segments we use different sets of credentials so that if credentials would have been caught by an attacker in the user segments those credentials are not enough to move into our server segments.

To speed up our networks scans we also exclude agent checks if the scan see that the asset have been checked by the agent before.