I am wondering what strategies our community members are using to avoid vulnerability scans on dead devices. I was trying to find a way to exclude them in scan templates but apparently that is not an option.
We have too many sites to be excluding it within every single site. Trying to see if there are other options to avoid using licenses on these devices.
If the asset is DEAD asset then it should not take up a license. If you are getting ghost assets reported on IPs where assets do not exist I would say you need to edit your template to “Avoid TCP Reset Responses”. It sounds like you have a firewall or something in between the scanner and the assets that is responding for them and IVM is seeing those responses as live assets and annotating them.
John,
These are legitimate devices and responses. What I meant to say was since discovery does not count against licensing, if there was an easy way to exclude devices with 0 vulnerabilities and no operating systems/hostnames, etc. from being checked for vulnerability.
We had a talk with someone at Rapid7 and they had recommended to delete them. But I was wondering if there was an easier way just to discover them but don’t scan for vulnerabilities…
PS: we do have the ‘Avoid TCP reset responses’ option checked.
ahh ok, SO what you could do is start with a discovery of all assets and then define asset groups based off of specific subnets, OS, etc to specify the groups of things like Windows servers/workstations, Linux servers/workstations, Network Devices, etc (Things I want to assess) and have a separate group for Printers, IOT devices, cameras, etc (things I don’t want to assess). From there, within the site you would create scheduled scans and specify subsets of assets and only select the asset groups that you want to scan.
This would ensure that you are still discovering ALL assets but are only using licenses on the ones that are getting actual vulnerability or policy scans against them.
Thanks! As I expected, it needs a complete overhaul of the environment. lol