Avoiding vulnerability checks on dead devices

I am wondering what strategies our community members are using to avoid vulnerability scans on dead devices. I was trying to find a way to exclude them in scan templates but apparently that is not an option.

We have too many sites to be excluding it within every single site. Trying to see if there are other options to avoid using licenses on these devices.

If the asset is DEAD asset then it should not take up a license. If you are getting ghost assets reported on IPs where assets do not exist I would say you need to edit your template to “Avoid TCP Reset Responses”. It sounds like you have a firewall or something in between the scanner and the assets that is responding for them and IVM is seeing those responses as live assets and annotating them.

These are legitimate devices and responses. What I meant to say was since discovery does not count against licensing, if there was an easy way to exclude devices with 0 vulnerabilities and no operating systems/hostnames, etc. from being checked for vulnerability.

We had a talk with someone at Rapid7 and they had recommended to delete them. But I was wondering if there was an easier way just to discover them but don’t scan for vulnerabilities…

PS: we do have the ‘Avoid TCP reset responses’ option checked.

ahh ok, SO what you could do is start with a discovery of all assets and then define asset groups based off of specific subnets, OS, etc to specify the groups of things like Windows servers/workstations, Linux servers/workstations, Network Devices, etc (Things I want to assess) and have a separate group for Printers, IOT devices, cameras, etc (things I don’t want to assess). From there, within the site you would create scheduled scans and specify subsets of assets and only select the asset groups that you want to scan.

This would ensure that you are still discovering ALL assets but are only using licenses on the ones that are getting actual vulnerability or policy scans against them.

Thanks! As I expected, it needs a complete overhaul of the environment. lol

I am trying to re-visit this topic again. Our R7 environment is set up as a site for each location. There is a dynamic group that collects all the dead assets based on minimum risk score and OS identification. All sites are configured to exclude this group from scanning.

So, if let’s say I run a discovery scan first thing in the morning and follow it up with a vulnerability check later on in the day, would I avoid using licenses for those devices that get filtered on to the dead device group?
Also, if the devices stay in the group, are they excluded on the next scan based on IP addresses or their particular signatures? If that is IP based, wouldn’t it miss scanning some devices after their DHCP leases renew?

Sorry for throwing so many questions at you. It has me confused a bit and trying to figure out a way to limit license use without having to delete these devices (it messes up the asset v/s risk score chart).
Thanks in advance!

If you’re excluding them at the site level then technically they shouldn’t be found during a discovery either so I would avoid having the site exclude those assets. Especially if you are having DHCP handle the addressing for all of those devices.

What I suggest is to not focus so much on exclusions but focus more on your targets. The site can still be set up to scope to the full subnet and run a discovery scan scoped to the full site. This way everything is found and can populate any asset groups. However, if you’re having an asset group defined on assets with 0 risk score and/or 0 vulnerabilities then using that to exclude with you’re probably going to exclude more than you want unless those assets have an agent on them.

Your site should be defined on the whole scope with a discovery scan to target EVERYTHING, and then a scheduled vulnerability scan that specifically targets asset groups that you actually want to scan without having to define exclusions more or less.