Understanding the Lite OS Detection Option

The VM option profile provides an option for Lite OS Scans. Here we'll describe this option and its impact.

 

Enable list OS detection option in VM option profile

 

The Problem

In a normal scan some of the methods used to identify the operating system of a target are expensive both computationally and in terms of time required. In addition, some of these methods may create a large number of system or application alerts if the target is so configured.

 

What the Option Does

When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected

Without the option selected, the presence of QID 45017 in the list of requested QIDs causes the scanner to enable ALL available modules that could lead to any OS detection method. This includes a number of very expensive modules, including web page analysis and partial web spidering.

 

Impacts

Enabling the option may reduce the amount of time required for OS detection, and may also reduce alert traffic to system/application administrators. The option may also reduce the accuracy of the OS detection. However, if the scan is authenticating to the target this reduction of accuracy may be avoided, as authenticated OS detection is usually a much higher accuracy than remote detections. As always, testing in your environment is encouraged.

 

Additional Details

Enabling Lite OS Detection will remove the following OS discovery methods from a scan:

- Telnet

- MSRPC

- HTTP: PHP-based information from PHP information/debugging pages

- NTP

- VMware ESXi web service

With the option enabled, the scanner will perform an identical scan as without it enabled, with the sole exception that the very expensive modules will no longer be triggered automatically by the presence of QID 45017, and the corresponding expensive OS discovery methods would no longer be used – UNLESS the scan also requested other QIDs which require the inclusion of those same modules. This means with the flag set the expensive OS detection methods would still be used if their use was incidental, as part of other detections, but the use of those methods would not be forced by just the presence of QID 45017.

The overall list of OS detection methods, and the possibility of authenticated scans using additional, better OS detection methods, has not been changed in any way, and is not affected by the flag.