Here is the response I received from ISS. Even though the ISS training I received was extremely valuable, they didn't not touch much on the "speeding scans up" area. I love ISS and their products, but this is really my largest gripe.
You are correct to say that a "console mode scan" does speed the scans up. I haven't tried turning off the checks below, but I'd like to do a scan that is the most reliable, fastest, and scan for the most exploits. Granted, the more checks you add, the longer it takes. But for me, it just seems to hang up on the port scanning.
Another thing that stumps me is that while I'm doing a scan, if you check the CPU utilization, memory, and processes, absolutely nothing is being pegged. The ISS_Winnt process is maybe using like 4% utilization. When I look at the NIC, there is like no activity on it. I went through the options and optimized those areas. I set the "maximum parallel scan threads" to 128, the "parallel service scans" to 16, max connects to 50, and max connections (port scan) to 1024. I set the delay to 10 ms and the timeout to 4000 ms. It seemed as if this had no effect on the scan.
While it does the scan (I've tried both console and gui mode, and the same results), in gui mode, if you see which checks are currently running, it looks like the port scans tcp and stealth) take the longest. I know I may be banned from saying this forbidden word here, but with nmap on linux, it takes no time flat to do a tcp port scan. Even as far as a nessus scan goes on linux, when it does the scan, you can hear the drive chugging and the utilization of the machine rising. And then it does the scan in a few minutes.
I prefer ISS than Nessus any day because, I believe, the checks are more accurate. But this depends on who you talk to. I'm also trying a product out called "Shadow Security Scanner" that does a scan in a quarter of the time ISS' Internet Scanner does.
Like I said before, I love ISS and the Internet Scanner. But it's just a little frustrating when you have to scan thousands of hosts and it takes a few days to do it, while there's no utilization on the machine or nic.
From: ISS Technical Support [mailto:Support@xxxxxxx]
Sent: Monday, December 02, 2002 9:36 AM
To: Wisniewski, Michael
Subject: RE: 625431 - IS 6.2.1 - optimizing internet scanner
Your old systems were equipped with more than the system requirements for Internet Scanner. So I can see why adding additional hardware did not speed things up. It sounds like you were not over-utilizing the system resources as it was.
Some of our checks do take a long time to complete. If you would like to speed things up, you may consider disabling or reconfiguring some of the checks/options listed below:
--Enumerating NetBIOS shares
--Enumerating NFS mounts (in Vulnerabilities Standard NFS, disable nfsexp or the NFS exports check)
--Nbdict (dictionary attack against shares) (in Vulnerabilities Standard Shares, disable nbdict)
--Nbperm (password permutations) checks (in Vulnerabilities Standard Shares, disable nbperm)
--Password guessing and brute force attacks (disable all options in Vulnerabilities Standard Brute Force)
--Full Port Scans (under Common SettingsPort Scan, clear the Run Scan check box)
--ICQClient-The ICQClient may bind at any port, causing inconsistent behavior from one boot to the next. The ICQClient check has been configured to scan the most likely ports, using a default port range from 1024 to 2124. Scanning this entire port range could take a considerable amount of time, as the check determines if the client is bound to a port somewhere within the default range. However, it is possible that the client may be bound outside the port range entered, which could result in a false positive.
--IP Spoofing (disable all options in Vulnerabilities Standard Protocol Spoofing) --Guessing Windows NT passwords against large domain controllers (under Common SettingsBrute Force Lists, clear the Use Default Login File check box)
--SNMP checks (disable all options in Vulnerabilities Standard SNMP)
--Spoofing (disable Common SettingsIP SpoofingSpoof Lists if you have lots of users and trusted hosts) Stealth Scans (in ServicesTCPStealth Port Scan, disable the Stealth Port Scan).
Thank you and have a great day.
If you are using any ISS RealSecure products that utilize the ISSED
database and have not applied the critical database update, please
obtain this patch from the ISS Knowledgebase at:
Reference Answer Number 722
RealSecure products using the ISSED database will not
function properly after 7-17-2002 without this patch.
Technical Support Engineer
****ATTENTION**** RealSecure Critical Update:
Please go to the ISS Knowledge Base at: http://www.iss.net/support/knowledgebase/
and reference Answer Number 722
for an update to your ISSED database.
Internet Security Systems: http://www.iss.net
Phone: (404) 236-2700 or (888) 447-4861
Technical Support email: support@xxxxxxx
PGP Public Keys http://www.iss.net/support/howto_encrypted_email.php
Internet Security Systems Product Knowledgebase http://www.iss.net/support/knowledgebase/