Updated on 2024-01-16 GMT+08:00

Vulnerability Scan

HSS can scan for Linux, Windows, Web-CMS, application vulnerabilities, and emergency vulnerabilities. Automatic and manual scans are supported.

  • Automatic scan: By default, HSS scans for Linux, Windows, Web-CMS, and application vulnerabilities once a week. You can also configure the automatic scan period and scan scope as required. By default, automatic scan is disabled for emergency vulnerabilities. You can configure a scan policy to enable automatic scan.
  • Manual scan: To view real-time vulnerabilities of a server, you can manually scan for vulnerabilities.

This section describes how to set an automatic scan policy and manually scan for vulnerabilities.

Constraints

  • If the agent version of the Windows OS is 4.0.18 or later, application vulnerability scan is supported. If the agent version of the Linux OS is 3.2.9 or later, emergency vulnerability scan is supported. For details about how to upgrade the agent, see Upgrading the Agent.
  • The Server Status is Running, Agent Status is Online, and Protection Status is Protected. Otherwise, vulnerability scan cannot be performed.
  • For details about the types of vulnerabilities that can be scanned by different HSS editions, see Types of Vulnerabilities That Can Be Scanned and Fixed.
  • For details about the OSs supported by Linux and Windows vulnerability scan, see Table 1. Emergency vulnerability scan supports Ubuntu, CentOS, EulerOS, Debian, and AlmaLinux.
    Table 1 OSs supporting vulnerability scan

    OS Type

    Supported OS

    Windows

    • Windows Server 2019 Datacenter 64-bit English (40 GB)
    • Windows Server 2019 Datacenter 64-bit Chinese (40 GB)
    • Windows Server 2016 Standard 64-bit English (40 GB)
    • Windows Server 2016 Standard 64-bit Chinese (40 GB)
    • Windows Server 2016 Datacenter 64-bit English (40 GB)
    • Windows Server 2016 Datacenter 64-bit Chinese (40 GB)
    • Windows Server 2012 R2 Standard 64-bit English (40 GB)
    • Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)
    • Windows Server 2012 R2 Datacenter 64-bit English (40 GB)
    • Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)

    Linux

    • EulerOS 2.2, 2.3, 2.5, 2.8, and 2.9 (64-bit)
    • CentOS 7.4, 7.5, 7.6, 7.7, 7.8 and 7.9 (64-bit)
    • Ubuntu 16.04, 18.04, 20.04 (64-bit)
    • Debian 9 and 10 (64-bit)
    • Kylin V10 (64-bit)
    • AlmaLinux 8.4 (64-bit)
    • SUSE Linux 12 SP5, 15 SP1, 15 SP2 and 15.5 (64-bit)
    • UnionTech OS V20 server E and V20 server D (64-bit)

Manual Vulnerability Scan

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Prediction > Vulnerabilities.
  4. Click Scan in the upper right corner of the Vulnerabilities page.

    To scan emergency vulnerabilities, locate the row of an emergency vulnerability, and click Scan in the Operation.

  5. In the Scan for Vulnerability dialog box displayed, select the vulnerability type and scope to be scanned. For more information, see Table 2.

    Table 2 Parameters for manual scan vulnerabilities

    Parameter

    Description

    Type

    Select one or more types of vulnerabilities to be scanned. Possible values are as follows:

    • Linux
    • Windows
    • Web-CMS
    • Application
    • Emergency

    Scan

    Select the servers to be scanned. Possible values are as follows:

    • All servers
    • Selected servers

      You can select a server group or search for the target server by server name, ID, EIP, or private IP address.

    NOTE:

    The following servers cannot be selected for vulnerability scan:

    • Servers are protected by basic edition HSS.
    • Servers that are not in the Running state
    • Servers whose agent status is Offline

  6. Click OK.
  7. Click Manage Task in the upper right corner of the Vulnerabilities page. On the Manage Task slide-out panel displayed, click the Scan Tasks tab to view the status and scan result of the vulnerability scan task.

    Click the number next to the red figure in the Scan Result column to view information about the servers that fail to be scanned.

    You can also choose Asset Management > Servers & Quota and scan a single server for vulnerabilities on the Servers tab. The procedure is as follows:

    1. Click a server name.
    2. Choose Vulnerabilities.
    3. Choose the vulnerability type to be scanned and click Scan.

Automatic Vulnerability Scan

  • By default, the basic edition automatically scans for Linux and Windows vulnerabilities in the early morning every day. But you cannot configure the scan period and scope.
  • For the professional or higher editions, you can configure the scan period and scope to periodically scan for vulnerabilities on servers.
  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Prediction > Vulnerabilities.
  4. In the upper right corner of the Vulnerabilities page, click Configure Policy to set the vulnerability scan period and scope.

    • Vulnerability Type
    • Scan Period
      • Scan period: The default value is 00:00:00 - 07:00:00 and cannot be changed.
      • Scan Period: Select Every day, Every three days, or Every week.
    • Scan
      • Enable or disable server scan: indicates that server scan is enabled.
      • Select the servers to scan: Click Select Server to Scan. On the server management page displayed, select the servers to be scanned.

        The following servers cannot be selected for vulnerability scan:

        • Servers are protected by basic edition HSS.
        • Servers that are not in the Running state
        • Servers whose agent status is Offline

  1. Click Manage Task in the upper right corner of the Vulnerabilities page. On the Manage Task slide-out panel displayed, click the Scan Tasks tab to view the status and scan result of the vulnerability scan task.

    Click the number next to the red figure in the Scan Result column to view information about the servers that fail to be scanned.