There are several typical problems which might occur during a scan using the default values of the NSM. While the default values of the NSM are valid for most environments and customers, depending on the actual environment and the configuration of the scanned hosts they might require some tweaking.
During a typical scan the NSM will by default first use the ping command to check the availability of the configured targets. If the target does not reply to the ping request it is presumed to be dead and will not be scanned by the port scanner or any VT.
In most LAN environments this does not pose any problems because all devices will respond to a ping request. But sometimes (local) firewalls or other configuration might suppress the ping response. If this happens the target will not be scanned and will not be included in the results and the scan report.
To remediate this problem, both the target configuration and the scan configuration support the setting of the alive test (see Alive Test).
If the target does not respond to a ping request, a TCP ping may be tested. If the target is located within the same broadcast domain, an ARP ping may be tried as well.
Once the target is discovered to be alive using the ping command the NSM uses a port scanner to scan the target. By default, a TCP port list containing around 5000 ports is used. If the target is protected by a (local) firewall dropping most of these packets the port scan will need to wait for the timeout of each individual port. If the hosts are protected by (local) firewalls the port lists or the firewalls may be tuned. If the firewall does not drop the request but rejects the request the port scanner does not have to wait for the timeout. This is especially true if UDP ports are included in the scan.
This happens especially very often if UDP based VTs like VTs using the SNMP protocol are used. If the default configuration Full and fast is used, the SNMP VTs are included. But if the target is configured using the default port list, the VTs are not executed. This happens because the default port list does not include any UDP ports. Therefore, the port 161/udp (SNMP) is not discovered and excluded from further scans. Both the discovery scans and the recommended scan configuration Full and fast optimize the scan based on the discovered services. If the UDP port is not discovered, no SNMP VTs are executed.
Do not enable all ports per default in the port lists. This will prolong the scans considerably. Best practice is the tuning of the port lists to the ports which are used in the environment and are supported by the firewalls.
The scanner is able to find all relationships of host names and IP addresses without needing additional user input.
In environments with virtual hosts, the scan reports will have less results because duplicates are avoided.
Two scanner preferences handle vhost scanning:
test_empty_vhostIf this preference is enabled, the scanner also tests the target by using empty vhost values in addition to the target’s associated vhost values.
expand_vhostsIf this preference is enabled, the target’s host list of vhosts is expanded with values gathered from sources such as reverse lookup queries and VT checks for SSL/TLS certificates.