000026304 - Frequently Asked Questions regarding RSA NetWitness InSight

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026304
Applies ToRSA NetWitness InSight
RSA NetWitness InSight 3.x
IssueFrequently Asked Questions regarding RSA NetWitness InSight.
Resolution

Question:

What happens if a computer is not turned on during a scheduled scan, will it still be scanned?

Answer:

This is dependent on how the scan is scheduled.  If scheduled to ?Run at System Startup?, the scan is run each time the scanner service is restarted.  Typically this occurs at system startup but can also be initiated by stopping and starting the scanning service via the windows service control manager.  If a scan is scheduled to run at a time when the computer is powered off the scan will not run.  When the computer is powered back on the scanner service will compare the current computer time to the scheduled scan time and delay until the next scheduled scan is reached.  It does not recognize that a scheduled scan was missed and run another to compensate.

Question:

What happens if a computer is in standby or hibernation during a scheduled scan?

Answer:

When in standby or hibernate the computer is suspended hence the scanner is suspended as well.  When the computer comes out of hibernation mode the scanner service resumes normal activities.  If it a scan has been missed during standby/hibernation the scanner service verifies by checking the time of the scheduled scan and comparing against the computer clock.  Therefore if it comes out of hibernation or standby after a scheduled scan a scan should be run immediately to compensate.

If scans are scheduled to run a system startup, going in and out of hibernation/standby will not simulate a start-up event and a scan will not be run.  This can be a challenge if scans are scheduled at system start up and users simply close their laptops rather than power them down.  Start-up scans would not be run as the machine was never powered off and on.

Question:

What happens if a computer is turned on but off the network and unable to reach the scan manager during a scheduled scan?

Answer:

 1.  The scanner tries to connect to the server to download the latest copy of the scheduled scan policy.  If the server is unreachable, it will fallback to using a local copy of the scan policy (e.g., running.cfg on the local machine).  As long as the machine had connected to the server successfully in the past, then a local copy of the scan policy should be available and the scan will attempt to continue.

2.  The scanner parses the scan policy to determine which scan modules are required for the scan.  For each required module, the scanner will attempt to connect to the server to download the latest copy of the module.  If a connection to the server fails, then the scanner will look for and use local copies of the required scan modules.  If local copies are available, then the scanner will use the local copies and attempt to continue.  If not, the scan is not run.

3.  The scanner will examine each required module to determine if it has any dependencies.   If there are dependencies, the scanner will attempt to connect to the server to download them.  If a connection cannot be made, then local copies of these dependencies will be used.  If they are available, the scan will continue.

4.  The scan will run using local copies of the scan policy, modules and dependencies.

5.  As the scan completes, a connection to the server is attempted to upload the results from the scan.  If the connection fails, the scanner will compress and encrypt the results locally (archive.bin).  Any previous scan results are overwritten such that only the last successful scan results are archived. 

6.  Once an archive exists, the scanner will attempt to connect to the server every 10 seconds to upload the archive until it is successful.  This means that 10 seconds after the machine is connected back to the network, the archive should be uploaded and cleared from the machine.

Question:

What happens if a computer is powered down mid-scan?

Answer:

If a computer is powered down mid-scan the running scan is aborted.  When the scanner is started again it will run scans based on how the scans are scheduled, i.e. system startup or scheduled scan.  It will not resume the aborted scan. 

Legacy Article IDa58548

Attachments

    Outcomes