Recently we introduced an option in the Option Profile on the Scan tab called Lite OS Detection.
This article explains the behavior of this option, and the costs and benefits of using it.
In a normal scan some of the methods used to identify the operating system of a target are expensive both computationally and in terms of time required. In addition, some of these methods may create a large number of system or application alerts if the target is so configured.
What the Option Does
When this option is selected, and QID 45017 is included in the scan (45017 is included in the default Complete Vulnerability Detection), the scan job will exclude these expensive methods during OS detection. The option does not change which ports we scan or how we scan them. It simply prevents the scanner from executing the expensive modules during OS detection. Note: These modules may still be executed if other detections need them, but not as a part of OS discovery.
Without the option selected, the presence of the 45017 QID in the list of requested QIDs causes the scanner to enable ALL available modules that could lead to any OS detection method. This includes a number of very expensive modules, including web page analysis and partial web spidering.
Enabling the option may reduce the amount of time required for OS detection, and may also reduce alert traffic to system/application administrators. The option may also reduce the accuracy of the OS detection. However, if the scan is authenticating to the target this reduction of accuracy may be avoided, as authenticated OS detection is usually a much higher accuracy than remote detections. As always, testing in your environment is encouraged.
Enabling Lite OS Detection will remove the following OS discovery methods from a scan:
- HTTP: PHP-based information from PHP information/debugging pages
- VMware ESXi web service
With the option enabled, the scanner will perform an identical scan as without it enabled, with the sole exception that the very expensive modules will no longer be triggered automatically by the presence of QID 45017, and the corresponding expensive OS discovery methods would no longer be used – UNLESS the scan also requested other QIDs which require the inclusion of those same modules. This means with the flag set the expensive OS detection methods would still be used if their use was incidental, as part of other detections, but the use of those methods would not be forced by just the presence of QID 45017.
The overall list of OS detection methods, and the possibility of authenticated scans using additional, better OS detection methods, has not been changed in any way, and is not affected by the flag.