McAfee Vulnerability Manager 7.5 Scan Configuration and Status

Version 1

    Introduction

     

    This guide will walk you through the McAfee Vulnerability Manager (MVM) 7.5 Scan Configuration and Scan Status features.  Once you have completed the steps in the McAfee Vulnerability Manager getting started video your system should be fully installed, updated and licensed.  The first login to the Enterprise Manager will render a page with blank dashboard information.  This course is aimed at getting good scanning data to get you started.

     

    Video

     

    This video takes you step by step through the MVM 7.5 Scan Configuration and Scan Status. For reference the same steps and additional information are provided below.

     

     

     

     

    Prerequisites

     

    We advise reviewing the McAfee Vulnerability Manager 7.5 Getting Started Guide or watching the 'How to Install, Update and License McAfee Vulnerability Manager 7.5'  video found at  https://www.youtube.com/watch?v=WIfYJJYLtxM

     

     

    Scan Configuration

     

    Log into the Enterprise Manager

     

    EM.PNG

     

    The Dashboard will be empty until a scan is performed.  Click Scan -> New Scan

     

    new scan.PNG

     

     

    The Scan Configuration Wizard will open in a new screen.  The options will be:

     

    - Use McAfee Vulnerability Manager default settings: This is the default scan. You can base it on the default and change the settings as desired to customize your scan. 
    - Use a McAfee Vulnerability Manager template:  The available McAfee Vulnerability Manager templates appear in the bottom half of the page.

    - Use an existing scan:   The list of scans from your organization appears in the bottom half of the page.

     

    scan config wizard.PNG

     

     

    Targets

     

    Enter scan Name and the Targets you wish to Discover or Assess

     

    Targets:  Select this tab to define IP address ranges by entering a beginning and ending IP address. This tab is selected by default when you first display the Targets tab.

     

    Browse: Select this tab to define IP address ranges by browsing an asset list or asset tags, then dragging assets or groups of assets from the list to the IP Range list. By default this tab shows the active assets.

     

    Search: Select this tab to define IP address ranges by searching for assets with a specific label, IP, operating system, NetBIOS name, DNS name, domain name, URL, or asset tag. By default this tab shows the active assets.

     

    Included Ranges: Shows the ranges that will be included in the scan.

     

    Excluded Ranges:  Shows addresses that are explicitly excluded from the scan.

     

     

    scan name and targets.PNG

     

    Icon Key:

     

    target tab key.PNG

     

    Network Stack Selection:  Select the internet protocol version to use when adding IP addresses to your scan configurations. See Internet protocol versions and scan configurations.

    •  IPv6 Disabled – Only allow IPv4 addresses in this scan configuration.

    •  IPv4 Disabled – Only allow IPv6 addresses in this scan configuration.

    •  IPv4 and IPv6 Enabled – Allow both IPv4 and IPv6 addresses in this scan configuration.

     

    To import a list of IP Addresses click Import and browse to the file to be uploaded and click Import. Make sure the file is properly formatted before uploading. You are limited to the 2500 lines in the file being imported into the enterprise manager.
    The ranges from the file appear when the upload finishes. Then click OK.

    Settings

     

    Click Next >> to go to the Settings tab.  We recommend leaving the default settings in this tab unless there is a specific need to change the defaults.  The online help found in the upper right corner describes each setting available in detail.

     

     

    HOSTS

    hosts.PNG

     

    SERVICES

     

    services.PNG

     

     

    CREDENTIALS

     

     

    credentials.PNG

     

     

    VULN SELECTION

     

    If you want this scan to automatically select new, updated vulnerability checks when they are released, follow these steps:

     

    1.  Click Advanced to show the Run new checks option for each vulnerability category.
    2.  For each vulnerability category for which want to include updated vulnerability checks in this scan, select the Run new checks checkbox.

     

    When McAfee Vulnerability Manager 7.5 receives an update, new checks within the selected category are automatically selected to be scanned the next time this scan runs.

     

     

    Vuln selection.PNG

     

    OPTIMIZE

     

    optimize.PNG

     

     

    The WEB APP CONFIG will be covered in another feature guide

     

    Reports

     

    Create Remediation Tickets:  Select this option to have McAfee Vulnerability Manager 7.5 create remediation tickets when the scan is complete.

    If this option is not selected, this scan will not produce remediation tickets.

     

    FoundScore Type:
    Defines the set of calculations used to determine the FoundScore value. Choose Internal or External.

     

    Reporting Options:
     

    HTML Report - The HTML Report allows enterprise manager users to view report results online through their browser.

     

    PDF Report - Select this option to create PDF reports for this scan. PDF reports are printable files and can be viewed with the Adobe Acrobat Reader or other PDF software.

     

    CSV Report Options - This option creates comma-separated-value reports. These can be easily imported into spreadsheets and other programs.

     

    XML Report - Create XML output for reading the data into other programs.

     

    reports.PNG

    Scheduler

     

    The Schedule Tab lets you activate and set a recurring schedule for the scan.

     

     

    When scheduling a daily, weekly, or monthly scan, once a scan is activated, the scan is either running or in a pending state. The pending state simply means the scan is waiting for the next scheduled time to run. If an activated scan misses a scheduled time to run (the scan engine is offline, the network is down), the activated scan will run once the scan engine is available.

     

     

     

    Example 1: A scan is scheduled to run once a week, starting on Monday. The scan engine is offline on Monday and doesn't come back online until Tuesday. The scheduled scan will start running on Tuesday, as soon as the scan engine is available.
    If an activated scan takes longer than the recurring period you set, the scan will run again at the next available start date after the scan completes.

     

     

    Example 2: A daily scan is scheduled to run at 8:00 am every day. If the scan starts on Monday at 8:00 am and completes on Tuesday at 10:00 am, the scan will start again on Wednesday at 8:00 am.

    On this page you can perform the following tasks:

     

     

    •  Activate or de-activate the scan, whether it is set to run immediately or at a scheduled time.
    •  Select the scan engine.
    •  Schedule the scan to run immediately, at a specific date and time, or on a recurring schedule.
    •  Set Scan Windows so that the scan only runs during specific hours.

     

    Scheduler.PNG

     

    Once the scan configuration is complete click Save and Scan Now to begin scanning.

     

     

    Scan Status

     

    Click Scan -> New Scan

     

    scan status.PNG

     

    The Scan Status page appears.  The scan status page shows the status of all the scans the user has access to. This list shows the pending and active scans so that you can monitor their status.  You must have view access to a scan for it to appear on this list.  The Scan Status page automatically refreshes every 10 seconds.  You can sort the information with the column headings. 

     

    Click on the Scan you would like to view details on.  The screen appears as follows:

     

    scan status 2.PNG

     

     

    Scan status descriptions

     

    Awaiting Resources:  The scan engine resources are being used by other scans. The scan is put in a paused state. When scan engine resource become available, the scan resumes.

    If the scan engine is paused, this scan remains in this state until the engine is available.

     

    Cancel Pending:  The scan process is being canceled. A cancel command is sent to the scan engine. All incomplete batches are canceled. If the scan engine is in the process of transferring batch results, the scan engine completes that task and then cancel the scan.

     

    Canceled:  The scan is canceled.

     

    Complete:  The discovery, assessment, and post processing completed.

     

    Error:  The scan ended in an error and did not complete.

     

    Finishing:  The scan is in post-processing, like calculating the FoundScore.

     

    In Queue:  The product is preparing the scan based on the scan configuration. The scan launch command is in the command queue; the scan engine has not received the command.  The scan details are not available because the scan hasn't started.  You cannot pause or cancel a scan in the In Queue state.

     

    Offline:  The scan engine is either offline or unavailable.

     

    Pause Pending:  The scan process is being paused.

     

    Paused:  The scan is paused.

     

    Engine Paused:  The scan engine was paused.

     

    Pending:  The scan engine has received the command but has not responded with a success or failure.

     

    Resume Pending:  The scan process is starting from the paused state.

     

    Running:  The scan is running. See the scan details for more detailed information about the scan.

     

    Starting:  The scan engine has received the command and successfully responded. The scan engine is starting the scan, which includes resolving host names, sending information to the scan engine, and finding hosts.  You cannot pause or cancel a scan in the Starting state.

     

     

    Scan detail description


    Scan Timeline:  Shows the progress of the current scan using a green bar. The bar is orange if the actual scan time is significantly longer than the estimated duration.  The scan timeline does not appear the first time you run a scan. The scan timeline appears after the first successful completion of the scan.

     

    Estimated Duration:  Shows the estimated time the scan should take to complete, based on the completion history of the scan. The estimated duration does not appear the first time you run a scan. The estimated duration only appears after the first successful completion of the scan.

    The estimated duration works best when the scan configuration remains consistent (like the number of hosts being scanned and the vulnerabilities). Modifying the scan configuration might affect the estimated duration.

     

    Previous Duration:  Shows the duration of the last time the scan completed. Scans that were canceled or failed are not taken into consideration.

     

    Start:  Displays the date and time the scan started.

     

    End:  Displays the date and time the scan ended.

     

    Duration:  Displays the amount of time (hh:mm:ss) between when a scan started and when it ended.  The scan start time is obtained from the scan engine and the end time is obtained from the API server. If the scan engine and the API server are on different servers and the server clocks are not synchronized, you get an inaccurate scan time.

     

    Engine:  Displays the scan engine used during the scan.

     

    Discovery:  Shows the progress and details about the discovery portion of the scan.

    •  Hosts found – Number of hosts found compared to the number of possible hosts. Possible hosts include all IP addresses in an IP range, even if the IP address is not being used by a host.
    •  Network saturation – Percentage of discovered hosts compared to the number of potential hosts.
    •  Services found – Total number of services found on all hosts discovered by the scan.
    •  Average services per host – Total number of services divided by the total number of discovered hosts.
    •  Discovery batches completed – Number of discovery batches completed compared to the total number of discovery batches.

     

    Discovered Operating Systems:  Shows the five operating systems with the highest number of discovered hosts and the number of hosts running other operating systems (Other Operating Systems).

    Hovering over a pie slice displays the number of hosts found with that operating system. Clicking on the pie chart displays a list of all operating systems and the number of hosts in each.

     

    Assessment:  Shows the progress and details about the assessment portion of the scan.

    •  Hosts assessed – Number of hosts assessed compared to the number of hosts discovered.
    •  Hosts not assessed – Number of hosts not assessed by the scan. This includes hosts that were partially assessed, like an assessment timing out when the maximum amount of time allowed to scan a single host is reached.
    •  Vulnerabilities found – Total number of vulnerabilities found on all hosts assessed by the scan.
    •  Average vulns per host – Total number of vulnerabilities divided by the total number of assessed hosts.
    •  Assessment batches completed – Number of assessment batches completed compared to the total number of assessment batches.

     

    Vulnerabilities by Risk:  Shows the high, medium, low, and informational vulnerabilities found as a pie chart. Hovering over a section of the pie chart shows the number of vulnerabilities discovered for that risk level.

     

    Post Processing:  Shows the progress of the post processing for the scan. Post processing begins after assessment is complete. Post processing includes updating asset data, computing data (like FoundScore), and adding the report to the queue for generating the scan report.

     

    Logs:  Shows the last five log messages for the scan. The logs are updated at regular intervals.

    This information comes from the scan engine. If the scan controller is on the same server as the scan engine, the scan controller log messages should display.

    These messages are provided to show the scan is still active. Some scan processes, like batch processing, can take a long time to complete, and during that time, the scan may appear to be stuck. The log messages shows if the scan is still active by updating every 10 seconds. If the messages do not change for a long time, the scan might be stuck.

     

    Errors:  If one or more errors occur during a scan, an error link is available on the Scan Details page. Click the errors link to view a list of errors.

    This information comes from the scan engine. If the scan controller is on the same server as the scan engine, the scan controller error links should display.

    There are scan events that are logged as errors that do not negatively impact the scan. McAfee recommends only viewing the error messages if your scan fails, with the help of technical support.

    For recovered scans, the error count might be inaccurate, depending on how much work must be redone to recover the scan. Scan recovery occurs when a scan engine is restarted during a scan.

    Note: Organization administrators, workgroup administrators, and the global administrator can view scan errors.

     

     

     

     

     

    Contact Us

     

     

    For additional information including a demo of McAfee Vulnerability Manager go to:

     

    http://www.mcafee.com/us/products/vulnerability-manager.aspx

     

    or contact us at:

     

    http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales