AlienVault® USM Appliance™

Running Vulnerability Scans from Assets

Applies to Product: USM Appliance™ AlienVault OSSIM®

You can run vulnerability scans on individual assets.

The fewer assets to scan, the sooner the scan finishes.

Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space .

Important: Threat intelligence update will not finish if any vulnerability scan is running, because the update needs to refresh the vulnerability threat database used by the scan.

To run a vulnerability scan on selected assets

  1. Go to Environment > Assets & Groups > Assets.
  2. Select the asset(s) you want to edit. For assistance, see Selecting Assets in Asset List View.
  3. Click Actions, and then Run Vulnerability Scan.

    On Vulnerability Scan, the selected assets display at the bottom.

  4. Identify the scan job by typing a name in the Job Name field.
  5. Select a sensor from the Select Sensor list.

    Important: You can only run up to 5 concurrent scans per USM Appliance Sensor.

  6. Select a profile from the Profile list.

    USM built-in vulnerability scan profiles
    Profile Name Description
    Deep A non-destructive full and slow scan.
    Default A non-destructive full and fast scan. Use this profile if the target system tends to break or crash with the scanning requests.
    Ultimate A full and fast scan including destructive tests. It includes stress tests that can crash the target system. For example, filling a network switch with random MAC addresses.

    For creating your own scan profiles, see Customizing Vulnerability Profiles.

  7. In Schedule Method, do one of the following:

    • To launch the scan without any delay, keep the default value as "Immediately".
    • To schedule the job to run at a different time, make a selection based on the table below.

      USM Appliance vulnerability scan schedules
      Schedule Method Description
      Immediately Launch the scan job without any delay.
      Run Once Run scan once at the specified date and time.
      Daily Run scan every x days at the specified time beginning on the specified day.
      Day of the Week Run scan on the specified day and time of the week.
      Day of the Month

      Run scan on the specified day and time of the month.

      Nth week of the month Run scan on the specified day and time on the Nth week of the month. A week starts on the first day of the month and lasts 7 days.
  8. (Optional) Click Advanced.

    • For authenticated scans, choose SSH Credential (UNIX/Linux) or SMB Credential (Windows), depending on the operating system of your hosts.

      Note: Skip this step for unauthenticated scans. You need to create the credentials first. For assistance, see Creating Credentials for Vulnerability Scans.

    • Specify the maximum time (in seconds) that the scan should run.

      In USM Appliance version 5.2 and earlier, the default is 28,800 seconds (8 hours).

      In USM Appliance version 5.3 and later, the default is 57,600 seconds (16 hours).

    • To send an email notification after the scan finishes, select Yes, and then select User or Entity as the email recipient.
  9. (Optional, available in USM Appliance version 5.3.2 and later) Specify the port numbers you do not want to scan in Exclude Ports. Use comma to separate the port numbers but do not use any space between them. For example, "1,33,555,26-30,44".

    Note: Using this option slows down the scan because USM Appliance performs additional tasks to exclude the ports you specify.

  10. (Optional) To speed up the scanning process, click Only scan hosts that are alive.
  11. (Optional) If you do not want to pre-scan from a remote sensor, click Pre-Scan locally.
  12. (Optional) If you do not want to resolve hostnames or FQDN, click Do not resolve names.
  13. To create the vulnerability scan, click Save.