2. Read Before UseΒΆ

The Greenbone Security Manager (GSM) includes a full-featured vulnerability scanner. While the vulnerability scanner has been designed to minimize any adverse effects on the network environment, it still needs to interact and communicate with the target systems being analyzed during a scan.

Note

It is the fundamental task of the GSM to find and identify otherwise undetected vulnerabilities. To a certain extent the scanner has to behave like a real attacker would.

While the default and recommended settings reduce the impact of the vulnerability scanner on the environment to a minimum, unwanted side effects may still occur. By using the scanner settings the side effects can be controlled and refined.

Note

Be aware of the following general side effects:

  • Log and alert messages may show up on the target systems.
  • Log and alert messages may show up on firewalls and intrusion detection and prevention systems. Intrusion prevention measures may be triggered.
  • Scans may increase latency on the target and/or the scanned network, in extreme cases resulting in situations similar to a denial of service (DoS) attack.
  • Scans may trigger bugs in fragile or insecure applications resulting in faults or crashes.
  • Scans may result in user accounts being locked due to the testing of default user name/password combinations.
  • Embedded systems and elements of operational technology with weak network stacks are especially subject to possible crashes or even broken devices.

Remember that triggering faults, crashes or locking with default settings means that an attacker can do the very same at unplanned times and to an unplanned extent. Finding out about it earlier than the attacker is the key to resilience.

While the side effects are very rare when using the default and recommended settings, the vulnerability scanner allows the configuration of invasive behavior and thus will increase the probability of the effects listed above.

Note

Be aware of these facts and verify the required authorization to execute scans before using the GSM to scan the target systems.