Scanning for Vulnerabilities

Scenario

HSS can scan for Linux, Windows, Web-CMS, application, and emergency vulnerabilities. Automatic, scheduled, and manual scans are supported.

Automatic scan
By default, Linux, Windows, and Web-CMS vulnerabilities are automatically scanned every day. Application vulnerabilities are automatically scanned every Monday. The automatic scan time of application vulnerabilities varies with the scan time of middleware, web services, databases, and web framework assets. For details about how to check and configure the asset scan time, see Asset Discovery.

If a manual or scheduled vulnerability scan has been performed in a day, HSS will not automatically scan for vulnerabilities on that day.
Scheduled scan
By default, a full server vulnerability scan is performed once a week. To protect workloads, you are advised to set a proper scan period and scan server scope to periodically scan server vulnerabilities.
Manual scan
If you want to view the vulnerability fixing status or real-time vulnerabilities of a server, you are advised to manually scan for vulnerabilities.

This section describes how to manually scan for vulnerabilities and configure a scheduled scan policy.

Constraints

If the agent version of the Windows OS is 4.0.18 or later, application vulnerability scan is supported. If the agent version of the Linux OS is 3.2.9 or later, emergency vulnerability scan is supported. For details about how to upgrade the agent, see Upgrading the Agent.
The Server Status is Running, Agent Status is Online, and Protection Status is Protected. Otherwise, vulnerability scan cannot be performed.
For details about the types of vulnerabilities that can be scanned by different HSS editions, see Types of Vulnerabilities That Can Be Scanned and Fixed by HSS.
For details about the OSs supported by vulnerability scan, see OSs that Support Vulnerability Scan and Fix.

Manual Vulnerability Scan

Log in to the HSS console.
Click in the upper left corner and select a region or project.
In the navigation pane, choose Risk Management > Vulnerabilities.
Click Scan in the upper right corner of the Vulnerabilities page.

To scan for emergency vulnerabilities, locate the row of an emergency vulnerability, and click Scan in the Operation column.

Figure 1 Manual scan

In the Scan for Vulnerability dialog box displayed, set the vulnerability types and scope to be scanned. For more information, see Table 1.

Figure 2 Configuring a scan
Click to enlarge

**Table 1** Parameters for manual scan vulnerabilities
Parameter	Description	Example Value
Type	Select one or more types of vulnerabilities to be scanned. Possible values are as follows: Linux Windows Web-CMS Application Emergency	Select all
Scan	Select the servers to be scanned. Possible values are as follows: All servers Selected servers You can select a server group or search for the target server by server name, ID, EIP, or private IP address. The following servers cannot be selected for vulnerability scan: Servers are protected by basic edition HSS. Servers that are not in the Running state Servers whose agent status is Offline	All servers

Click OK.
In the upper right corner of the Vulnerabilities page, click Manage Task, and click the Scan Tasks tab. View the scan task execution status.
In the Operation column of the target scan task, click View Details to view the scan details of a specific server.
Figure 3 Viewing scan tasks
You can also choose Asset Management > Servers & Quota and manually scan for vulnerabilities on a single server on the Servers tab page. The procedure is as follows:
1. Click a server name.
2. Choose Vulnerabilities.
3. Click the tab of a vulnerability type to be scanned and click Scan.

Scheduled vulnerability scan

Log in to the HSS console.
Click in the upper left corner and select a region or project.
In the navigation pane, choose Risk Management > Vulnerabilities.
In the upper right corner of the Vulnerabilities page, click Scheduled Scan Policy. The Configure Scheduled Scan Policy page is displayed.

Figure 4 Scheduled scan policy

On the Configure Scheduled Scan Policy page, configure the parameters such as the scan period and server scope.

Figure 5 Configuring a scheduled scan policy
Click to enlarge

**Table 2** Parameters of a scheduled scan policy
Parameter	Description
Scheduled Vulnerability Scan	Whether to enable scheduled vulnerability scan. : enabled.
Type	Types of the vulnerabilities you want to scan. The options are: Linux vulnerabilities Windows vulnerabilities Web-CMS vulnerabilities Application vulnerabilities Emergency vulnerabilities
Scan Period	Interval for performing scheduled scans. The options are: Every day: The scan task will be performed once a day. Every three days: The scan task will be performed every three days, for example, on the first, fourth, and seventh days. Every week: The scan task will be performed on multiple days in each week. For example, you can select Monday, Wednesday, and Friday. Every month: The scan task will be performed on multiple days in each month. You can select days between the 1st day and the 31st day. If you select the 29th, 30th, or 31st day, on any month where that day does not exist, the scan task will be performed on the last valid day of that month.
Scanned	Time when the scheduled scan task is performed. The system scans each selected server one by one based on the scan time you configure. So, the actual scan time of some servers may be different from the configured time.
Servers	Select the scope of servers to be scanned. You can select All servers or Specified servers. The following servers cannot be selected for vulnerability scan: Servers that use the HSS basic edition Servers that are not in the Running state Servers whose agent status is Offline

Click OK.
In the upper right corner of the Vulnerabilities page, click Manage Task, and click the Scan Tasks tab. View the scan task execution status.

In the Operation column of the target scan task, click View Details to view the scan details of a specific server.
Figure 6 Viewing scan tasks