Running distributed scans

Distributed scans are performed by endpoints that are running the Tanium Client and have Discover tools installed. After identifying unmanaged interfaces, you can install the Tanium Client to bring the interfaces under management by the Tanium Server Tanium as a Service.

Profiles

Use profiles to define properties for scanning the network, including network inclusions and exclusions, discovery methods, and a scan schedule. You can create multiple profiles.

If you selected the Automatic configuration with default settings option during installation, a A Level 4 Nmap distributed profile is created by default. You can use or edit this profile or create a new one. For more information about this type of profile, see Level 4 (Nmap scan with host discovery and OS fingerprinting).

Discovery method impact

Before you configure a profile, you must understand the impact of the different discovery methods. Passive discovery methods use existing information on the endpoints to find interfaces, generating no network activity. Active discovery methods perform network scanning.

You can use four levels of discovery. Lower levels are more passive, have less network impact, but provide a limited set of information. Higher levels perform active scans on the network, but provide more information about unmanaged interfaces, such as host name and operating system.

Table 1:   Discovery method network impact
Discovery Method Approximate Bytes per IP Found (DNS Lookup Disabled) Approximate Bytes per IP Found (DNS Lookup Enabled)
Level 1 (ARP cache and interface connections) 0 512
Level 2 (ping) 74 586
Level 3 (Nmap scan with host discovery) 56 586
Level 4 (Nmap scan with host discovery and OS fingerprinting, 1000 port default) n/a 122000
Bytes are calculated based on standard network equipment; values might have extra padding in some situations.

Profile configuration

You can create multiple profiles that include passive and active discovery methods. Each profile is scoped by different network inclusions, exclusions, and schedules. With an active discovery method, you might choose to scope the discovery to run on a specific subnet a few times a day. Because passive discovery methods have less network impact, you might choose to scope the discovery to scan a broader part of the network every hour.

For distributed scanning, the best data is provided by a level 4 (Nmap scan with host discovery and OS fingerprinting) profile. This profile type provides data that includes open ports, attempts to identify the OS platform and OS Generation.

If Nmap is not allowed in your environment, the level 2 (ping) scan generates some OS Platform information.

Level 3 and level 1 scans provide the least information. Level 3 is a quick scan without port probing, but finds all IP addresses using active ARP probing. The level 1 scan is passive and looks at connections or ARP cache to determine what the endpoint knows about without any network probing.

For more information about the data provided by each profile type, see Reference: Data returned by profile type.

Level 1 (ARP cache and interface connections)

Level 1 discovery is a passive discovery method that combines ARP cache and interface connections discovery. No endpoints are scanned with level 1 discovery because the results are returned from the local ARP cache on each endpoint.

All IPs that are in ARP cache are included in the scan results, limited to the locally configured subnet mask, up to a /22 range (1024 IP addresses). Discover caps scan ranges at the /22 range. Subnet masks lower than a /22 range do not get all the results returned because of the high number of IP addresses. A /16 range can return up to 65,536 IP addresses.

The interface connections method sends actions to the endpoints to trigger the collection of all current IP connections that are on each managed endpoint. Then, the related MAC address is resolved by looking up the interfaces in the local Address Resolution Protocol (ARP) cache.

Value on Interfaces pages: arp, connected

Level 2 (ping)

The level 2 discovery method uses a simple ping script discovery method to find unmanaged interfaces.

When level 2 discovery is initiated on a managed endpoint, the scan range is calculated based on its peers in the linear chain. See Scan range calculation for more information.

After the range is calculated, the scanning package pings the targeted IP addresses with an Internet Control Message Protocol (ICMP) ping. Pings without a response take 3 seconds. Pings that return a response take much less time.

Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Deployment Guide: Configure "isolated subnets". To enable scanning of isolated endpoints, deselect the Isolated Subnets/Systems option when you configure the discovery method.

When the results are imported, the Discover service: 

  • Resolves host names
  • Checks if the interface is managed or unmanaged
  • Resolves MAC address and Manufacturer
  • Resolves OS Platform based on time to live (TTL) value in the ping response:  Windows, Linux/Mac, or Solaris/AIX (Solaris endpoints do not detect OS Platform)

The simple ping script discovery causes a small amount of network traffic over time. You might choose to run it on a smaller part of the network or at a longer schedule interval.

When you configure level 2 discovery on a sparsely populated network, set the schedule Reissue every setting to an hour or more to prevent scans from overlapping. If scans overlap, data may never be gathered for the upper end of the scan range.

Value on Interfaces pages: ping

Level 3 (Nmap scan with host discovery)

The level 3 discovery method uses Network Mapper (Nmap) utility on each endpoint to find information about network interfaces.

When level 3 discovery is initiated on an endpoint, the scan range is calculated based on its peers in the linear chain. See Scan range calculation for more information.

Nmap scan host discovery finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints. This package consists of drivers (Windows only), libraries, and executable files. Then, an Nmap scan runs with an ARP broadcast scan only. If an ARP reply to the target is found, the endpoint is listed as available. No operating system or open port information is returned about the interfaces. Because level 3 discovery performs an ARP broadcast, you might see a spike in network activity at the beginning of the scan.

Endpoint files: The Nmap discovery method installs the following files on the endpoint. For more information about exclusions that might need to be enabled for Nmap, see Host and network security requirements.

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-[version]-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries and drivers that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. On Windows endpoints, Npcap is loaded on demand and is available to only admin users on the endpoint. Npcap files are installed in the C:\Program Files\Npcap directory.

Nmap is not supported on Windows 2003 Server, Windows XP, AIX, and Solaris. If Nmap scanning is configured for endpoints on these platforms, the endpoints perform level 2 scans instead. Level 2 scans are also performed if the Nmap scan has any problems running on the endpoint.

Value on Interfaces pages: nmap

Level 4 (Nmap scan with host discovery and OS fingerprinting)

Like the level 3 discovery method, level 4 also uses Nmap to find unmanaged interfaces. Level 4 discovery also includes OS fingerprinting.

OS fingerprinting scans 1000 commonly used TCP ports on each endpoint. In the profile settings, you can configure a preferred source port from which the scan runs on endpoints, and the target endpoint ports. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

Endpoint files: The Nmap discovery method installs the following files on the endpoint. For more information about exclusions that might need to be enabled for Nmap, see Host and network security requirements.

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-[version]-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries and drivers that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. On Windows endpoints, Npcap is loaded on demand and is available to only admin users on the endpoint. Npcap files are installed in the C:\Program Files\Npcap directory.

Nmap is not supported on Windows 2003 Server, Windows XP, AIX, and Solaris. If Nmap level 3 scanning is configured for endpoints on these platforms, the endpoints perform level 2 scans instead. Level 2 scans are also performed if the Nmap scan has any problems running on the endpoint.

Value on Interfaces pages: nmap

Scan range calculation

With level 2-4 discovery methods, scans typically run only in the gaps between the managed interfaces. Scanning only in the gaps eliminates many of the common issues with network scanners that generate significant network traffic and trigger alarms in intrusion prevention systems (IPS) and firewalls.

Most endpoints perform forward scans to avoid overlaps in scanning from other endpoints. Endpoints with no backward peers also scan backwards to avoid any gaps in scans. Review the following scenarios to fully understand how scan ranges are calculated.

Scenario: Endpoint has forward and backward peers

A managed endpoint at address 192.168.1.10 has a forward peer at address 192.168.1.20 and a backward peer at address 192.168.1.5.

A forward scan occurs from 192.168.1.11 to 192.168.1.19. Because the IP address has a backward peer, a backward scan is not performed.

Scenario: Endpoint has forward peer but no backward peer

A managed endpoint at address 192.168.1.10 has a forward peer at address 192.168.1.20, but no backward peer.

A forward scan occurs from 192.168.1.11 to 192.168.1.19. Because the endpoint has no backward peer, a backward scan from 192.168.1.1 to 192.168.1.9 is performed.

A scan occurs from 192.168.1.1 to 192.168.1.19 (excluding the origin endpoint: 192.168.1.10).

Configure profile for distributed scan

Configure a profile for the distributed scan by defining which networks to run the scan, the discovery method, and a scan schedule.

Create profiles according to your deployment plan. See Develop a deployment plan. If you are using a by subnet deployment policy, test and continue to add subnets to the profile until you are comfortable using all subnets.

Before you begin

  • To scan portions of the network, you must know the IP ranges or the networks that you want to scan. Verify that the Discover service account has access to the networks that are configured as inclusions in the profile.
  • (Optional) Create a locations file to map physical locations to discovered interfaces. Assign users to specific locations to limit access to interface data to specific user groups. You can configure locations at any time because the locations are evaluated every time a Discover scan completes. For more information, see Locations.
    For the most complete results from the scan, import locations before configuring a profile. You can update locations later as you find more information about your networks.

Create profile

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Give the profile a name and select the Distributed (scan from endpoints) profile type.
  3. Select a discovery method (level 1-4) and whether you want to include host name lookup. Host name resolution consumes some network resources, even with lower impact discovery methods.



    To help target installation of the Tanium Client on unmanaged interfaces, configure a scan that returns operating system information about the endpoints. Level 4 Nmap discovery provides the best results, but Level 2 ping scans also provide some operating system information.
  4. Configure targeting. Targeting specifies the networks to include and exclude from the scan.
    1. Scan Inclusions: Specify networks that you want to scan.
      Typically, choose All Networks to include the broadest results. The All Networks option scans all networks that are accessible to the endpoints that are configured for the Discover action group. For the best results, configure the Discover action group to include all computers. For more information, see Configure Discover action group.
      To run scans on endpoints that are only in certain networks, select Specific Networks, then click . With this selection, results outside the scope of the selected networks are not included in the final report.
      To run scans on endpoints that are only in a certain computer group, select Computer Groups, then select the groups. With this selection, results outside the scope of the selected groups do not perform the selected scan.
    2. Scan Exclusions: Specify networks that you want to exclude from scans. Endpoints on these networks do not perform scans, and no results are returned from endpoints on these networks. Consider defining the following exclusions: 
      • Isolated Endpoints: Prevent isolated endpoints from performing scans. To enable these endpoints to perform scans, clear the check box.
      • Specific Networks: List critical devices with fragile networking. These IPs are not contacted during the scan process. If any endpoints in this network are running the Tanium Client, these endpoints do not perform scans.
      • VPN Networks: List VPN subnets to avoid, including interfaces outside your corporate networks. If you do not define VPN networks as an exclusion, devices such as gaming systems and streaming devices from home networks are discovered. If a managed endpoint is used on a public network, such as in a restaurant or airport, devices on those networks would be discovered if the VPN exclusion is not defined.
      • Zone Servers: Define internet zone servers to exclude endpoints connecting from internet locations. If an endpoint that connects through a zone server cannot resolve a host name in a zone server exclusion, the scan is not performed on that endpoint. Configure either all IP addresses or all host names for your zone server exclusions and zone server name definitions. Mixing IP addresses and host names in the configuration and exclusions can have unexpected results.
      At a minimum, configure exclusions for VPN, zone servers, and critical endpoints with fragile network configurations.
  5. Configure the scan schedule and scan window.

    1. Schedule: The schedule defines how often to run the scan and how long to take to distribute the scan tools to endpoints.
      Recommended scanning frequency is once an hour in most environments. If you are using level 2 discovery, set the Reissue every interval to an hour or more to ensure that the next scan does not begin before the current scan completes.
    2. Scan Window (Windows, Mac, and Linux endpoints only): Configure specific times to run the discovery process on your endpoints. If a scan is scheduled to run outside the scan window, nothing is run as a part of the scan.
      The time can either be the local endpoint time of the Tanium Client, or the local time of the Tanium user that is configuring the profile. For example, you can choose Local Endpoint Time and create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. If some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.
      The Duration of the scan window must be greater than or equal to the Reissue every plus Distribute over settings in the schedule section. If the value is set to less than the sum of these values, some endpoints never scan.

  6. Click Create.

Discovery process

After you save a profile, the following actions occur: 

  1. Scheduled actions are created for the profile: Discover Content - Execute Scan [profile_name] and Discover Content - Execute Scan for non-Windows [profile_name].
  2. Scans run according to the defined schedule.
  3. Results of discovery scans are imported into Discover at the Reissue every interval that you defined.

If you have enabled Endpoint Configuration approval, configuration changes must be approved in Endpoint Configuration before they deploy to endpoints.

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons:

  • : Managed interfaces that have Tanium Client installed.
  • : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
  • : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

The profile type and discovery method that were used to find the interface return varying columns on the Interfaces pages. For more information, see Reference: Data returned by profile type.

Force import of scan results

Instead of waiting for the Reissue every time to pass, you can force an import of the most recent scan results.

  1. Go to the Discover Profiles page.
  2. Click Reimport Scan Results. When you click this button:
      • Level 1 profile scan results are collected and imported.
      • Level 2, 3, and 4 scan results are collected. If these methods are not active on the endpoints, no results are collected.
      • Centralized profile scan results are collected from the Tanium Module Server.

      Clicking Reimport Scan Results does not force the execution of a level 2, 3, or 4 distributed scans, or any centralized scans. The results for level 2, 3, or 4 distributed scans are gathered if they are already distributed and active on the endpoints. For centralized scans, the results from the last scan are collected from the Tanium Module Server.

What to do next