You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>UserGuide>VulnerabilityAssessment>VulnerabilityScans>CreatingVulnerabilityScanJobs (26 Apr 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

Creating Vulnerability Scan Jobs

By default, Sheriff CSM runs vulnerability scan jobs without any authentication. They are less thorough and are most appropriate when you want a birds-eye overview on your assets.

Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space.

Important: Threat intelligence update will not finish if any vulnerability scan is running, because the update needs to refresh the vulnerability threat database used by the scan.

To create a new vulnerability scan job

  1. Go to Environment > Vulnerabilities > Scan Jobs.

  2. Click New Scan Job.

    Create Scan Job dialog box.

  3. Identify the scan job by typing a name in the Job Name field.

  4. Select a Sensor (Deputy) from the Select Sensor list.

    Important: You can only run up to 5 concurrent scans per Sheriff CSM Sensor.

  5. Select a profile from the Profile list or create your own scan profile, see Vulnerability Scan Profiles for descriptions.

  6. In Schedule Method, do one of the following:

    • To launch the scan without any delay, keep the default value as "Immediately".
    • To schedule the job to run at a different time, make a selection based on the table below.

      Sheriff CSM vulnerability scan schedules

      Schedule Method Description
      Immediately Launch the scan job without any delay.
      Run Once Run scan once at the specified date and time.
      Daily Run scan every x days at the specified time beginning on the specified day.
      Day of the Week Run scan on the specified day and time of the week.
      Day of the Month Run scan on the specified day and time of the month.
      Nth week of the month Run scan on the specified day and time on the Nth week of the month. A week starts on the first day of the month and lasts 7 days.

  7. (Optional) Click Advanced.

    • For authenticated scans, choose SSH Credential (UNIX/Linux) or SMB Credential (Windows), depending on the operating system of your hosts.

      Note: Skip this step for unauthenticated scans. You need to create the credentials first. For assistance, see Creating Credentials for Vulnerability Scans.

    • Specify the maximum time (in seconds) that the scan should run.

      In Sheriff CSM version 5.2 and earlier, the default is 28,800 seconds (8 hours).

      In Sheriff CSM version 5.3 and later, the default is 57,600 seconds (16 hours).

    • To send an email notification after the scan finishes, select Yes, and then select User or Entity as the email recipient.

    • Important: Be aware of the following when making the selection:

      • Admins can view all scans.
      • If you are not an admin and you assign the scan to a different user, you can't view this scan yourself.
      • If you are an admin and you don't assign the scan to any user or entity, all non-admin users can't view this scan.
      • If you are an admin and you assign this scan to a non-admin user, both you and the non-admin user can view this scan, but other non-admin users can't.
      • If you assign the scan to an entity, all users who belong to the entity can view the scan.

    • See Sheriff CSM User Accounts for the definition of different user roles.

  8. (Optional, available in Sheriff CSM version 5.3.2 and later) Specify the port numbers you do not want to scan in Exclude Ports. Use comma to separate the port numbers but do not use any space between them. For example, "1,33,555,26-30,44".

    Note: Using this option slows down the scan because Sheriff CSM performs additional tasks to exclude the ports you specify.

  9. From the asset structure towards the right, select assets, asset groups, or networks to perform the vulnerability scan.

    Important: Starting from Sheriff CSM version 5.3, any scan covering more than 3500 hosts will be split into multiple scan jobs automatically. For example, if you are trying to scan a /16 network that contains 65,536 hosts, it will result in 19 jobs (65,536 / 3500). Each Sheriff CSM Sensor can run up to 5 jobs simultaneously. You will see 19 reports after the scan has completed.

  10. Alternatively, start typing the IP address and Sheriff CSM fills in the rest as you type. If you want to exclude a specific IP address, prefix your selection with an exclamation mark ("!"), which means do not scan that IP address.

    Example: 

    !192.168.2.200

  11. (Optional) To speed up the scanning process, click Only scan hosts that are alive.

  12. (Optional) If you do not want to pre-scan from a remote Sensor, click Pre-Scan locally.

  13. (Optional) If you do not want to resolve hostnames or FQDN, click Do not resolve names.

  14. To create the vulnerability scan, click Save.

Edit  | Attach | Print version | History: r26 < r25 < r24 < r23 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r26 - 26 Apr 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.