5 Replies Latest reply on Jun 15, 2018 12:05 AM by Schroedi

    Question about Vulscan and (possibly) an issue

    Schroedi Apprentice

      Hello everyone,

       

      I've got a question about the function of the Vulscan. Maybe we've got a problem here or not, who knows...

       

       

      Our agent is configured that Vulscan runs on our servers every day at 9pm. Random delay up to 1 hour and at least 15 minutes.

      And here is my first question: The 9pm time is not shown on the schedule overview, is that an issue (see picture)? In another agent

      configuration (for our clients) the time is shown in the overview.

       

      1.jpg

      I found several Vulscan logs on our servers, but none from 9pm. For example there is a log from about 00:00 of 60kb and another from 05:50pm with 8mb

      for 23rd of Mai. The times are different on other servers.

       

      When I watch in the inventory and the scheduled tasks there are two Vulscan tasks. (5) started at 05:21am and (9) started at 17:00pm with command line /continue.

       

      3.jpg

      4.jpg

      Can someone explain me if this is an issue or the function of Vulscan?

       

      Thank you very much.

        • 1. Re: Question about Vulscan and (possibly) an issue
          Peter Massa Expert

          That is the start time.  So if you have it configured for 9:00 tonight, with a 15 min to 60 min delay it may start at 9:35.  Then you have it set to restart again 24 hours later.  So now it will start tomorrow at 9:35 (last time it ran) with a 15-60 min delay.  So it may start at 10:07 now.  So over time this will keep drifting.

           

          I think you need to either do a maintenance window, or enable the time range option in your current screen shot and lock it in from 9-10.  So that it will always start some where in that range.

           

          This is working as designed.

           

          Peter

          • 2. Re: Question about Vulscan and (possibly) an issue
            Diane Rookie

            The time start you have circled just means that vulscan can scan after this date and time usually this defaults to the time you create the agent setting, it will not define what time it will run. ie you push a distribution and patch agent setting to a device at 3pm it installs fine and by the time it gets to running the vulscan it may be 4:30pm that is the first time vulscan will run on that device, subsequent runs of vulscan will run based on the 4:30 with additional delay of an hour (assuming a machine is switched on at that time).  If you want to restrict the times vulscan can run then you need to configure the time range to allow it to run at specific times.

             

            the fact that vulscan is running more than once could be down to a few things which I cannot see from your screenshots, the following use vulscan with different command lines

             

            1. client side certificates
            2. frequent scan
            3. pilot scan
            4. manual launch of security scan in a device
            5. repair task created to repair a vulnerability

             

            so in summary it is the function of vulscan, you wouldn't want every device suddenly scanning in at 9pm because that could impact the core or the network.

            • 3. Re: Question about Vulscan and (possibly) an issue
              phoffmann SupportEmployee

              You've only configured a "start" time window, rather than a recurring "run from X to Y" time-filter. So you will be subject to time-creep, as per my explanation in this article here:

              -- Local Scheduler and being aware of time creep .

               

              That should help you understanding how things are (logically) happening in your environment. You can (/should?) control things with a time filter (i.e. "only start from X to Y time") and maybe combine it with a random delay, to control what happens when.

               

              Hope that helps a bit.

              1 of 1 people found this helpful
              • 4. Re: Question about Vulscan and (possibly) an issue
                Thomas.Bergmann Rookie

                You should also keep in mind that if you use the time filter and the start time is not in that frame, the schedule will skip for this day if you use repeat every day.

                We had a similar issue and fixed this by defining a two hour time frame and repeat after 1 hour. This fixes the issue that due to time-creep the servers sometime don't scan for vulnerabilities for days.

                1 of 1 people found this helpful
                • 5. Re: Question about Vulscan and (possibly) an issue
                  Schroedi Apprentice

                  Question has been resolved, thanks everyone!