search cancel

Timeout settings for scanning Windows machines

book

Article ID: 173804

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Issue/Introduction

If you experienceing long scanning time on Windows asset, you might want to add extra settings so the scanner is reducing the time it spends enumerating some of the windows services. 

Resolution

Option to add in registry of scanner

Note : Before changing registry, always make a backup

* HKLM\SOFTWARE\...\eEye\Retina\5.0\Settings\AuditGeneral RegexErrMaxTime REG_DWORD This registry value limits the amount of time that can be spent running WINDOWS_EXECUTE_REGEX audits in AuditGeneral. It exists because we have a number of these audits that time out after three minutes. Absent this setting, AuditGeneral can run for a long time. Its range, in seconds, is from 0 to 1800, with a default of 0, which is interpreted as no time limit.

* HKLM\SOFTWARE\...\eEye\Retina\5.0\Settings\ScanX DecideIfWindowsOrSambaWinAPI This registry value is a boolean (0 or 1, default is 1) that determines whether Windows API functions should be used to determine if the target system is running Samba or Windows on TCP:445. Because some of these functions used in this determination (e.g., OpenSCManager()) can hang, we allow the user to set this value to 0 to disable the use of the Windows API for this purpose, and rely on lower-level, but sometimes less accurate, network-based heuristics.

* HKLM\SOFTWARE\...\eEye\Retina\5.0\Settings\RetAsync This registry hive allows the user to enable asynchronous invocations of selected Wiindows API functions where we implement asynchronous behavior by running the API call in a secondary thread, so that it can be timed out. The values in this hive are:

EnableAsyncFunctions REG_DWORD This boolean should be set to 1 to enable asynchronous invocation in general. Its default is 0.

LogLevel REG_DWORD The level at which messages should be logged. Range is 0 to 0xFF, with a default of 0x3F, which provides logging up to "notice" level. Meanwhile, the subkeys of RetAsync pertain to individual API functions. Both of them (OpenSCManager and RegConnectRegistry) contain a single registry value: TimeoutMS REG_DWORD This determines the amount of time (in milliseconds) after which the parent thread of the asynchronous invocation considers the respective Windows API function (e.g., OpenSCManager) to be hung. In this case, the child thread that issued the API call is orphaned, and the parent thread continues without hanging the rest of the scan. This value can range from 0 to 300000 (5 minutes). The default is 0, in which case asynchronous behavior for the function is disabled.

*HKLM\SOFTWARE\...\eEye\Retina\5.0\Settings\AuditNetBIOS AllowSchedTaskEnumerationViaLocalCom REG_DWORD This is also a boolean value whose default is 1 to allow the use of a COM API to obtain scheduled task information. Since this may: a) can hang, and b) isn't needed for the customer's use case, we set it to 0 to disable this capability. 

Attachments

reg_key_scan.reg get_app