In USM Anywhere you can run:
An authenticated scanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges. verifies scanned IPs and detects vulnerabilities, configuration issuesAn identified configuration of deployed software or features of software that is in use, which is known to be insecure., and software. The USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. initiates a credentialed SSHProgram to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). (Linux), WinRM (Windows), or MacOS connection to the assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and remotely runs a series of commands for host-based assessment. See Managing Credentials in USM Anywhere. You can run authenticated asset scans from these pages:
- Environment > Assets for running an authenticated scan in that precise moment. See Running Authenticated Asset Scansfor more information.
- Environment > Asset Groups for running an authenticated asset groups scan in that precise moment. See Running Authenticated Asset Groups Scans for more information.
- Settings > Scheduler for scheduling an authenticated scan job during a specific period of time. See Scheduling Asset Scans from the Job Scheduler Page and Scheduling Asset Groups Scans from the Job Scheduler Page for more information.
- Environment > Vulnerabilities for running an asset scan. You can scan a single asset, an asset group, or enter a network range. See Running an Asset Scan from Vulnerabilities for more information.
Warning: An authenticated scan may fail if the local mail exchanger, which applies to Linux hostsReference to a computer on a network., is enabled in the target asset.
You cannot scan USM Anywhere sensors.
Use an asset scan to discover services, operating systemsSoftware that manages computer hardware resources and provides common services for computer programs. Examples include Microsoft Windows, Macintosh OS X, UNIX, and Linux., hostnamesA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network., IP and MAC addressesA unique numeric value assigned by the manufacturer to identify a specific network device or computer, which allows communication over networks. Note that a device’s MAC address can be manipulated., and vulnerabilities of known hosts in the deployed network. You can run non-authenticated asset scans from these pages:
- Environment > Assets for running an asset scan in that precise moment. See Running Asset Scans for more information.
- Environment > Asset Groups for running an asset group scan in that precise moment. See Running Asset Groups Scans for more information.
- Settings > Scheduler for scheduling an asset scan job during a specific period of time. See Scheduling Asset Scans from the Job Scheduler Page and Scheduling Asset Groups Scans from the Job Scheduler Page for more information.
Note: See USM Anywhere Scans Best Practices for more information.
Commands Used in Authenticated Scans
When you run an authenticated scan in USM Anywhere, there are multiple commands executing at the same time. These commands change constantly and there are new definitions released every day. You can also verify which commands have been executing at any given moment.
Linux-authenticated scans use privilege escalation over ssh. Commands are logged in the audit log:
Windows-authenticated scans perform file and registry checks to determine the version of the installed patch.
Running an Asset Scan from Vulnerabilities
- Go to Environment > Vulnerabilities.
Click New Scan.
The Authenticated Asset Scan dialog box opens.
- Select the assets you want to scan:
- Single Asset. You need to enter the name of the target you want to scan or select it from a list of your targets.
- Asset Group Name. You need to enter the name of the asset groupAsset groups are administratively created objects that group similar assets for specific purposes. you want to scan or click Select from List for selecting it from a list of your asset groups.
- Network ranged. You need to enter the network range you want to scan.
A new Authenticated Asset Scan dialog box opens.
- Click Assign Credentials for assigning credentials to the assets and devices you want to scan. Click Create New Credentials for creating a credential. See Managing Credentials in USM Anywhere for more information.
- Click Select Another Target if you want to come back.
- You can select the targets to scan if you have more than one.
- Click Start Scan.
- Click Continue Scanning And Close.
- Click Refresh Scan Results to update the list.
The scan starts. Depending on the selected asset, the scan can last several minutes. When the scan finishes, you can see the status and if the scan found vulnerabilities. If you want to view the results of your scan, you need to go to the asset details page. See Viewing Assets Details for more information.
While the scan is running, a Scanning button shows. When the scan finishes, the message Scan finished. Refresh to view scan results displays.