Scanning Virtual Machines in an Enterprise Environment


I would like to know if there is any danger when running a scan on virtual machines running services.

In other words, can it be dangerous for these machines in production to run tests on them?

I do not know what kind of tests, commands, attacks are made on the machines and if this could become harmful to them causing the denial of service they offer or any kind of problem.

Thank you very much in advance!

Unfortunately there probably won’t be an easy answer to this question. When scanning unknown environments (or environments which where never scanned by a vulnerability scanner before) you need to be aware that anything bad can happen at any time.

Basically you need to be aware of the following risks when using a vulnerability scanner and take precautions against possible outages or similar on productive environments:

2 . Read Before Use

The Greenbone Security Manager (GSM) includes a full-featured Vulnerability Scanner. While the vulnerability scanner is designed to have a minimal invasive impact on your network environment, it still needs to interact and communicate with the target systems which are analyzed during a vulnerability scan.

Remember that it is the fundamental task of this solution to find and identify otherwise undetected vulnerabilities. The scanner must behave to a certain extent like a real attacker would.

While the default and recommended settings reduce the impact of the vulnerability scanner to the environment to a minimum, unwanted side effects may still occur. The scanner settings allow the control and refinement of the scanner’s effects. Please be aware of the following general side effects:

  • Log and alert messages may show up on the target systems triggered by the probes of the vulnerability scanner.
  • Log and alert messages may show up on firewalls and intrusion detection and prevention systems.
  • Scans may increase latency on the target and/or the network being scanned, in extreme cases resulting in situations similar to a denial of service (DoS) attack.
  • Scans may trigger bugs in fragile or insecure applications resulting in faults or crashes.
  • Scans may result in user accounts being locked due to the testing of default username/password combinations.
  • Embedded systems and elements of operational technology with weak network stacks are especially subject to possible crashes or even broken devices.

Remember that triggering faults, crashes or locking with default settings means that an attacker can do the very same at unplanned times and to an unplanned extent. Finding out about it earlier than the attacker is the key to resilience.

While these side effects are very rare when using the default and recommended settings, the vulnerability scanner allows the configuration of invasive behavior and thus will increase the probability of the above listed effects.

Before using the GSM to scan the target systems in your environment please be aware of these facts and verify that you are authorized to execute such scans.

Thanks so much for your help!

I will look at the configuration of the scan to avoid causing as little damage as possible.