27. Frequently Asked Questions

This section collects frequently asked questions with answers.

27.1. What is the difference between a scan sensor and a scan slave?

A scan slave is controlled by a scan master for doing vulnerability scans. Scans for scan slaves are configure on the scan master by each user as needed and permitted. GSM’s from midrange upward can act as a master and control one or many scan slaves. Any GSM can act as a scan slave. Any scan slave has to take care on its own to update the feed and release.

A scan sensor is a GSM that solely works as scan slave but is also fully managed by the master unit. This management includes automatic feed and release updates. Essentially, a sensor does not require any other connection than to its master and, once installed, does not require any administrative works.

27.2. Scan process very slow

The performance of a scan depends on various aspects.

  • Several port scanners were activated concurrently.

    If your are using a individual Scan Config please take care to select only a single port scanner in the family “Port Scanner”. Of course “Ping Host” can still be activated.

  • Unused IP addresses are scanned very time-consuming.

    In a first phase for each IP address it is detected whether a active system is present. In case it is not, this IP will not be scanned. Firewalls and other systems can prevent a successful detection. The NVT “Ping Host” (1.3.6.1.4.1.25623.1.0.100315) offers to fine-tune detection.

27.3. Scan triggers alarm at other security tools

For many vulnerability tests the behaviour of real attacks is applied. Even though a real attack does not happen, some security tools will issue an alarm.

Known examples are:

  • Symantec reports attack regarding CVE-2009-3103 if the NVT “Microsoft Windows SMB2 ‘_Smb2ValidateProviderCallback()’ Remote Code Execution Vulnerability” (1.3.6.1.4.1.25623.1.0.100283) is executed. This NVT is only executed if “safe checks” is explicitly disabled in the Scan Configuration because it can affect the target system.

27.4. On scanned target systems appears a VNC dialog

When testing port 5900 or configured VNC port, a window appears on scanned target system that asks the user whether to allow the connection. This was observed for UltraVNC Version 1.0.2.

Solution: Exclude port 5900 or other configured VNC port from target specification. Alternatively upgrade to a newer version of UltraVNC would help (UltraVNC 1.0.9.6.1 only uses balloons to inform users).

27.5. After Factory Reset neither Feed-Update nor System-Upgrade works

(This is not relevant for virtual appliances where no factory reset is integrated anyway)

A Factory Reset deletes the whole system including the subscription key. The key is mandatory for Feed-Update and System-Upgrade.

  1. Reactivate subscription key:

    A backup key is delivered with each GSM appliance, usually stored on a USB Stick and labelled with the key ID. Use this key to reactivate the GSM. The activation is described in the SetUp Guide of the respective GSM type.

  2. Update system to current version:

    Depending on the age of the factors emergency system you now need to execute the respective upgrade procedure.