Vulnerability Scan

HSS can scan for Linux, Windows, Web-CMS, application, and emergency vulnerabilities. Automatic, scheduled, and manual scans are supported.

Automatic scan
By default, Linux, Windows, and Web-CMS vulnerabilities are automatically scanned every day. Application vulnerabilities are automatically scanned every Monday. The time of an automatic application vulnerability scan changes with the middleware asset scan time. For details about how to view and set the latter, see Asset Discovery.

If a manual or scheduled vulnerability scan has been performed in a day, HSS will not automatically scan for vulnerabilities on that day.
Scheduled scan
By default, a full server vulnerability scan is performed once a week. To protect workloads, you are advised to set a proper scan period and scan server scope to periodically scan server vulnerabilities.
Manual scan
If you want to view the vulnerability fixing status or real-time vulnerabilities of a server, you are advised to manually scan for vulnerabilities.

This section describes how to manually scan for vulnerabilities and configure a scheduled scan policy.

Constraints

If the agent version of the Windows OS is 4.0.18 or later, application vulnerability scan is supported. If the agent version of the Linux OS is 3.2.9 or later, emergency vulnerability scan is supported. For details about how to upgrade the agent, see Upgrading the Agent.
The Server Status is Running, Agent Status is Online, and Protection Status is Protected. Otherwise, vulnerability scan cannot be performed.
For details about the types of vulnerabilities that can be scanned by different HSS editions, see Types of Vulnerabilities That Can Be Scanned and Fixed.

For details about the OSs supported by Linux and Windows vulnerability scan, see Table 1. Emergency vulnerability scan supports x86 Ubuntu, CentOS, EulerOS, Debian, and AlmaLinux.

**Table 1** OSs supporting vulnerability scan
OS Type	Supported OS
Windows	Windows Server 2019 Datacenter 64-bit English (40 GB) Windows Server 2019 Datacenter 64-bit Chinese (40 GB) Windows Server 2016 Standard 64-bit English (40 GB) Windows Server 2016 Standard 64-bit Chinese (40 GB) Windows Server 2016 Datacenter 64-bit English (40 GB) Windows Server 2016 Datacenter 64-bit Chinese (40 GB) Windows Server 2012 R2 Standard 64-bit English (40 GB) Windows Server 2012 R2 Standard 64-bit Chinese (40 GB) Windows Server 2012 R2 Datacenter 64-bit English (40 GB) Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)
Linux	EulerOS 2.2, 2.3, 2.5, 2.8, and 2.9 (64-bit) CentOS 7.4, 7.5, 7.6, 7.7, 7.8 and 7.9 (64-bit) Ubuntu 16.04, 18.04, 20.04, 22.04 (64-bit) Debian 9, 10, and 11 (64-bit) Kylin V10 (64-bit) HCE 1.1 and 2.0 (64-bit) SUSE 12 SP5, 15 SP1, and 15 SP2 (64-bit) UnionTech OS V20 server E and V20 server D (64-bit)

Manual Vulnerability Scan

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
In the navigation pane, choose Risk Management > Vulnerabilities.
Click Scan in the upper right corner of the Vulnerabilities page.

To scan for emergency vulnerabilities, locate the row of an emergency vulnerability, and click Scan in the Operation column.

Figure 1 Manual scan

In the Scan for Vulnerability dialog box displayed, set the vulnerability types and scope to be scanned. For more information, see Table 2.

Figure 2 Configuring a scan

**Table 2** Parameters for manual scan vulnerabilities
Parameter	Description	Example Value
Type	Select one or more types of vulnerabilities to be scanned. Possible values are as follows: Linux Windows Web-CMS Application Emergency	Select all
Scan	Select the servers to be scanned. Possible values are as follows: All servers Selected servers You can select a server group or search for the target server by server name, ID, EIP, or private IP address. NOTE: The following servers cannot be selected for vulnerability scan: Servers are protected by basic edition HSS. Servers that are not in the Running state Servers whose agent status is Offline	All servers

Click OK.
In the upper right corner of the Vulnerabilities page, click Manage Task, and click the Scan Tasks tab. View the scan task execution status.
If a vulnerability scan task fails, click View Failure Cause in the Operation column of the task to view details.
Figure 3 Viewing scan tasks
You can also choose Asset Management > Servers & Quota and scan a single server for vulnerabilities on the Servers tab. The procedure is as follows:
1. Click a server name.
2. Choose Vulnerabilities.
3. Click the tab of a vulnerability type to be scanned and click Scan.

Scheduled vulnerability scan

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
In the navigation pane, choose Risk Management > Vulnerabilities.
In the upper right corner of the Vulnerabilities page, click Scheduled Scan Policy. The Configure Scheduled Scan Policy dialog box is displayed.

Figure 4 Scheduled scan policy
In the dialog box, configure parameters such as the period and scope for scheduled vulnerability scanning.

Figure 5 Configuring scheduled scan policy
- Scheduled Vulnerability Scan: Select whether to enable scheduled vulnerability scan. indicates it is enabled.
- Type: Select the type of vulnerabilities to be scanned.
- Scan Period: Select Every day, Every three days, or Every week. The default scan duration is 00:00:00 - 07:00:00 and cannot be changed.
- Servers: Select the server to be scanned.
  The following servers cannot be selected for vulnerability scan:
  - Servers are protected by basic edition HSS.
  - Servers that are not in the Running state
  - Servers whose agent status is Offline

In the upper right corner of the Vulnerabilities page, click Manage Task, and click the Scan Tasks tab. View the scan task execution status.

If a vulnerability scan task fails, click View Failure Cause in the Operation column of the task to view details.
Figure 6 Viewing scan tasks