One of the biggest advantages of Agentless Technology is the ability to discover machines in an environment. It would be nice to say that you know exactly what machines are in your environment at any given time, but it is not a claim that many can make with 100% confidence. In most cases, there is simply too much activity happening on the network that is not in the IT administrator’s control, so they are often left to guess how many machines are in their environment. The larger the environment, the more teams involved with staging of machines, the addition of virtual technology making it easier and faster to roll out machines, Dev and QA environments where employees hold the power to build and rebuild machines on a regular basis, the list goes on. The result, however, is the same. Machines slip through the cracks and go unmanaged as far as Patch, Threat, and Asset Management are concerned. How do you manage this type of issue?
In NetChk Protect you can do this by doing a discovery scan using Patch or Asset agentless scan technology. I typically do this with the Default Security Patch Scan template. Create a new machine group. Click on the IP AddressIP Range tab and enter the IP range of your entire environment. Add multiple ranges for multiple subnets depending on how your environment is setup. Then set credentials on the group.
Select your Discovery Machine Group you created and in the ‘Scan With’: drop down you should see Security Patch Scan. Click “begin scan” and then “scan now.” Depending on the size of the environment this could take a while, so let it run and once complete you can look at all the machines discovered and for those that failed to scan you can evaluate which are machines and which are not likely machine at all.
In the scan result you can click on the Machines not Scanned and sort by the Reason Column. Best way to determine what items are worth investigating further is by the error code.
Understanding the Scan Results:
200, 201, and 235 – Pretty much no machine was on that IP during that scan.
261 – Something is listening, either non MS or firewalled. Likely try nslookup or rdp to the box to determine if it is something you can connect to.
300s – Admin shares were removed, go to tools options authentication and check Create a temporary system drive if none exists and next time you should be able to scan this machine.
451, 452 – Machine is definitely there but admin creds or another prerequisite prevented us from scanning. Go to Forum.Shavlik.com and do a search of the 3 digit error code in the Shavlik Knowledgebase for detailed instructions to resolve.
500s – Definitely a windows machine but remote registry access is denied. Win 7, Vista, and 2k8 disable this service by default. Older OSs could have had it disabled or winreg permissions modified. Forum search of 3 digit code will give additional steps to troubleshoot.
600, 700, 800, 900 – Level codes could come up but not likely under these circumstances as they pertain to other types of scanning.
You can run a report of Machines Not Scanned in a date range to get a list of all error codes for a time period. In the report gallery select the Machines Not Scanned report and check the advanced filter and set a date range to capture the latest discovery scan you have run. This can then be exported into different formats so you can work with the information easier. Set up a Discovery Scan on a reoccurring basis and see what comes up. Some people are very surprised at the findings.