 Role Availability
|
 Read-Only
|
Investigator |
 Analyst
|
Manager
|
In USM Anywhere you can run:
Authenticated scans
An authenticated scan Authenticated scans are performed from inside the machine using a user account with appropriate privileges. verifies scanned IPs and detects vulnerabilities, configuration issues An identified configuration of deployed software or features of software that is in use, which is known to be insecure., and software. The USM Anywhere Sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. initiates a credentialed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). (Linux), WinRM (Windows), or MacOS connection to the asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and remotely runs a series of commands for host-based assessment. See Managing Credentials in USM Anywhere. You can run authenticated asset scans from these pages:
- Environment > Assets for running an authenticated scan in that precise moment. See Running Authenticated Asset Scansfor more information.
- Environment > Asset Groups for running an authenticated asset groups scan in that precise moment. See Running Authenticated Asset Groups Scans for more information.
- Settings > Scheduler for scheduling an authenticated scan job during a specific period of time. See Scheduling Asset Scans from the Job Scheduler Page and Scheduling Asset Groups Scans from the Job Scheduler Page for more information.
- Environment > Vulnerabilities for running an asset scan. You can scan a single asset, an asset group, or enter a network range. See Running an Asset Scan from Vulnerabilities for more information.
Warning: An authenticated scan may fail if the local mail exchanger, which applies to Linux hosts Reference to a computer on a network., is enabled in the target asset.
You cannot scan USM Anywhere sensors.
Unauthenticated scans
Use an asset scan to discover services, operating systems Software that manages computer hardware resources and provides common services for computer programs. Examples include Microsoft Windows, Macintosh OS X, UNIX, and Linux., hostnames A hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network., IP and MAC addresses A unique numeric value assigned by the manufacturer to identify a specific network device or computer, which allows communication over networks. Note that a device’s MAC address can be manipulated., and vulnerabilities of known hosts in the deployed network. You can run non-authenticated asset scans from these pages:
- Environment > Assets for running an asset scan in that precise moment. See Running Asset Scans for more information.
- Environment > Asset Groups for running an asset group scan in that precise moment. See Running Asset Groups Scans for more information.
- Settings > Scheduler for scheduling an asset scan job during a specific period of time. See Scheduling Asset Scans from the Job Scheduler Page and Scheduling Asset Groups Scans from the Job Scheduler Page for more information.
Note: See USM Anywhere Scans Best Practices for more information.
Commands Used in Authenticated Scans
When you run an authenticated scan in USM Anywhere, there are multiple commands executing at the same time. These commands change constantly and there are new definitions released every day. You can also verify which commands have been executing at any given moment.
Linux
Linux-authenticated scans use privilege escalation over ssh. Commands are logged in the audit log:
/var/log/secure*/var/log/auth*
Windows
Windows-authenticated scans perform file and registry checks to determine the version of the installed patch.
Running an Asset Scan from Vulnerabilities
- Go to Environment > Vulnerabilities.
-
Click New Scan.
The Authenticated Asset Scan dialog box opens.
- Select the assets you want to scan:
- Single Asset. You need to enter the name of the target you want to scan or select it from a list of your targets.
- Asset Group Name. You need to enter the name of the asset group Asset groups are administratively created objects that group similar assets for specific purposes. you want to scan or click Select from List for selecting it from a list of your asset groups.
- Network ranged. You need to enter the network range you want to scan.
-
Click Next.
A new Authenticated Asset Scan dialog box opens.
- Click Assign Credentials for assigning credentials to the assets and devices you want to scan. Click Create New Credentials for creating a credential. See Managing Credentials in USM Anywhere for more information.
- Click Select Another Target if you want to come back.
- You can select the targets to scan if you have more than one.
- Click Start Scan.
- Click Continue Scanning And Close.
- Click Refresh Scan Results to update the list.
The scan starts. Depending on the selected asset, the scan can last several minutes. When the scan finishes, you can see the status and if the scan found vulnerabilities. If you want to view the results of your scan, you need to go to the asset details page. See Viewing Assets Details for more information.
While the scan is running, a Scanning button shows. When the scan finishes, the message Scan finished. Refresh to view scan results displays.
Feedback