Hi!
-
Yes, the “Web application abuses” family is very much recommended for unauthenticated scans. A lot of those checks actually do some kind of active check (trying to actively confirm a vulnerability with all kinds of HTTP(s) requests). However there are as well simple version checks which will get missed if not activated. The higher scan time is very much expected as it will first try to map the web application trying different ways to get information from the server which will be used in later checks. Depending on the web server this can take quite some time.
-
This depends on your environment. Some desktop/laptop based software still populate some kind of web server which might get missed if the family is not enabled. However if you want to take the risk or you are sure that no unknown web service is running (or is firewalled etc.) you can of course decide to leave those checks out.
So to summarize: Just a few checks in the “Web application abuses” family need authentication and those will state it in the report. The family has some web spidering/mapping functionality, hence the longer scan time. Any tuning of the scan config depends on your environment/needs/risk assessment which needs to be decided by you.
Hope this helps.
Christian