Hi, I’ve installed an OpenVAS on Kali Linux with the “apt install openvas” as normal, ran the setup, everthing fine. I’ve set a scan of ~230 hosts, almost all of them are active so I set the “Consider Alive” option, only scanning ports 22 and 443 in each of them.
The problem is that the scan is currently running and is at 45%, it’s been around 12 hours since it started and if I look into the RAM usage I can only see 4GB of the total 64GB. It’s a Hyper-V Gen 2 Virtual Machine, the OpenVAS version is “22.7.5” from the command “openvas --version”.
Any idea on why it is only using 4GB of the total 64GB? I want this machine just to do scans so I would like for OpenVAS to use almost all of the RAM if necessary and not only 4GB.
First post, if anything is wrong just tell me, thank you in advance!
You didn’t really specify whether the 4GB is reported from the bare metal host or VM you need to look into how to configure your VM properly so it has access to all the RAM.
If I do a “free -m” in the VM or with “top” it says that the total memory is 64GB, so I think that the VM is configured properly, the real machine has a total of 320GB of RAM so it should work properly.
Are you saying that maybe some configuration is blocking the VM from accessing more memory?
No, as I said, you didn’t show that you had checked that configuration so, its the first place to look. Seems the VM has access to the RAM.
You can also check the scan task’s settings. The scan task has a limit to concurrently scanned hosts and threads, and NVTs per host. You can increase these to use more resources.
Currently that configuration is at “6 NVTs per host” and “20 concurrent hosts”.
Increasing this makes sense, but when I launch more than one scan at same time, each of the scans having “4 NVTs per host”, “20 concurrent hosts” and the “Scan Config” in “Full and fast”, with that the maximum RAM usage I’ve seen with 4 simultaneous scans is 5GB.
I don’t know if this behavior is from OpenVAS or Hyper-V maybe is configured in some way so that the machines can’t use more than 4GB of RAM even if I configured them with 64GB.
Any idea? I’ll now search on internet to see if I find something about some limitation in Hyper-V.
The CPU cores doesn’t seem to be the problem, on the previous machine that had OpenVAS installed the scan took only 10 hours with 8GB RAM and 4CPU, and the second test I did with the new machine the report says it had a duration of 22 hours but it got interrupted at 69%, i don’t know why but now that’s not the matter.
I looked at all the history from the command line of the other machine and the only command executed that maybe can modify the timing is: sudo -E -u _gvm -g _gvm gvmd --modify-setting 76374a7a-0569-11e6-b6da-28d24461215b --value 10000
But thats only for the reports as I searched for internet.
Any idea on why it is so slow now? I thought it maybe was the low RAM usage thats why I put that title, but I dont know what would be the normal RAM usage for this scan of 230 hosts with 2 ports per host.
EDIT: The 8 Cores are at 100% with the scan running
Doesn’t this indicate your CPU is the bottleneck? I don’t often use Hyper-V, but VirtualBox and KVM require the VM’s CPU allocation to be explicitly configured and the default is very low.
You can also increase the number of concurrent hosts from the default 20 to more like 30 or higher? This would take advantage of more hardware resources, and spawn more threads, but if the CPU is maxed out, it will not increase processing times.
If I run a scan on the machine that can run the scans a lot faster, the CPU’s also reach 100% of constant usage, just like the slow one, so I dont know if that’s the problem. As I said, I’ll continue my research
You have to look into your alive criteria and port-list as well. If you do scan UDP you will waist a lot of waiting time if a firewall is dropping UDP probes. Please check the other posts here as well.
The alive criteria is “Consider Alive” because if I do manually the ping scan with nmap, around 225 hosts out of the original 230 are alive.
Referering to the port-list I’m only scanning the 22 and 443 which I said in first post, didn’t specify it but is in TCP (as you might guess by the numbers)
Testing other smaller scans, 12 Hosts, “All IANA Assigned TCP” in the ports section, in the old Kali, the fast one, it runs in about 40 minutes. In the new one the first time I ran it, it spend 1 and a half hour, but the second time it spend only 30 minutes, so I dont know what causing this. Any more ideas?
Don´t use that. I would suggest you do a TCP-443 or TCP-22 as alive criteria.
Additional check:
Scan port 22 only
Scan port 443 only
Turn off named-virtual-hosts within the scanner configuration.
Increase the log level from OpenVAS Scanner and check what NVT took what time.
