Can I force-rescan an endpoint after vuln removal?

Greetings. I have an endpoint that had a large amount of vulns, and it was remediated with a simple uninstall. Is there a way to get InsightIDR to force a rescan of that specific endpoint? I would like to evaluate whether InsightIDR agrees that the remediation has taken place?

I think you might be referring to InsightVM instead of InsightIDR if you’re referring to our products. InsightIDR has no understanding of vulnerabilities on an endpoint except for the info brought over from our integration with InsightVM our vulnerability management tool.

We do have the ability in InsightVM to do an ad-hoc scan on a specific asset though. For that, simply go to the site (or any site) that the asset is a part of and click “Scan Now” and then specify subset of assets and only type in the IP/Host Name of the server that you’re looking to scan. Alternatively you can just go to the asset page within InsightVM and click the “Scan Now” button at the top to get the same results.

Keep in mind though that if this software was found by the insight agent (and the insight agent is on the target endpoint) you must rescan with a template that does not have the “skip checks performed by the insight agent” enabled.

By the way, yes, you’re right… I should have marked this as InsightVM and not IDR. Thanks for the point.

I can see the endpoint in InsightVM, but I’m not seeing an ability to scan.

You may be looking at an asset that only has the Insight Agent on it. The agent has no way of doing an ad-hoc scan. If you want to rescan the asset, it must be contained within the scope of a separate site and have the ability to be scanned by a scan engine in your environment. Because of this, you typically cannot ad-hoc scan workstations for remote users when they are only connected to their home wi-fi.

What exactly does “contained within the scope of a separate site” mean? This computer can be easily reached on our own corporate network, and a home wifi use is not a concern for this case.

The goal is to get InsightVM to reassess the computer, now that the vulnerability was removed via uninstall. That’s all I wanna do.

Screenshot 2023-06-26 at 4.10.17 PM

In the screenshot above, notice how this asset is only in the Rapid7 Insight Agents site. Given that it is ONLY in the Agent site, there is no ‘scan asset now’ option.

Screenshot 2023-06-26 at 4.13.55 PM

Now in this screenshot, the asset is part of the Global site, which basically just means that it is in two different sites. But what is important here is that it is in both the Insight Agents site as well as contained within a separate site. The IP of is contained within the scope of a site that I have created which means that site can scan it through a scan engine.

So TLDR, the asset you’re trying to scan (for an ad-hoc scan) has to be defined in the scope of a site somewhere.

The approach I use is to keep a “Rescan” site based on an asset group which is tied to a custom tag. Sounds complicated, but bear with me a second.

Create a user-defined tag. Create a dynamic asset group “Rescan group” or whatever name that is a filtered group based on that custom tag. Create a site based on members of an asset group “Rescan Group” only.

Add the tag to the asset that you want to scan (I usually also push the scan assistant to the asset for good measure) and then scan the site and use the option “Specify one or more assets within this site to scan” to list the asset or assets you just tagged.

Hope this helps!

Wait 8 hours or reboot the host and it should redetect the vulnerabilities