Running distributed scans

Distributed scans are performed by endpoints that are running the Tanium Client and have Discover tools installed. After identifying unmanaged interfaces, you can apply Discover labels to them. These labels can be used as deployment targets in Tanium Client Management for installation of the Tanium Client, bringing the interfaces under management by the Tanium Server. For more information about deploying the Tanium Client, see Tanium Client Management User Guide: Configure a deployment.After identifying unmanaged interfaces, you can use Discover labels to organize them. Additionally, you can download and install the Tanium Client to bring the interfaces under management by Tanium Cloud. For more information, see Tanium Client Management User Guide: Deploying the Tanium Client using an installer or package file.

Profile configuration

There are four levels of distributed scanning. You can create multiple profiles that include passive and active discovery methods. Each profile is scoped by different network inclusions, exclusions, and schedules. With an active discovery method, you might choose to scope the discovery to run on a specific subnet a few times a day. Because passive discovery methods have less network impact, you might choose to scope the discovery to scan a broader part of the network every hour.

For distributed scanning, the best data is provided by a level 4 (Nmap scan with host discovery and OS fingerprinting) profile. This profile type provides data that includes open ports, attempts to identify the OS platform and OS Generation.

If Nmap is not allowed in your environment, the level 2 (ping) scan generates some OS Platform information.

Level 3 and level 1 scans provide the least information. Level 3 is a quick scan without port probing, but finds all IP addresses using active ARP probing. The level 1 scan is passive and looks at connections or ARP cache to determine what the endpoint knows about without any network probing.

For more information about the data provided by each profile type, see Reference: Data returned by profile type.

Level 1 (ARP cache and interface connections)

Level 1 discovery is a passive discovery method that combines Address Resolution Protocol (ARP) cache and interface connections discovery. No endpoints are scanned with level 1 discovery because the results are returned from the local ARP cache on each endpoint.

On Windows, macOS, and Linux endpoints, Discover filters the ARP cache based on the computed scan range, as if it is doing an active forward (and possibly backward) scan. (See Scan range calculation for more information.) On Solaris and AIX endpoints, Discover filters the ARP cache based on the profile network inclusions and exclusions, returning a maximum of 1000 results.

The interface connections method sends actions to the endpoints to trigger the collection of all current IP connections that are on each managed endpoint. Then, the related MAC address is resolved by looking up the interfaces in the local ARP cache.

Value on Interfaces pages: arp, connected

Level 2 (ping)

The level 2 discovery method uses a ping discovery method to find unmanaged interfaces.

When level 2 discovery is initiated on a managed endpoint, the scan range is calculated based on its peers in the linear chain. See Scan range calculation for more information.

After the range is calculated, the scanning package pings the targeted IP addresses with an Internet Control Message Protocol (ICMP) ping. Pings without a response take 3 seconds. Pings that return a response take much less time.

Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Management User Guide: Configure isolated subnets. To enable scanning of isolated endpoints, clear the Isolated Subnets/Systems option when you configure the discovery method.

When the results are imported, the Discover service:

  • Resolves host names
  • Checks if the interface is managed or unmanaged
  • Resolves MAC address and Manufacturer
  • Resolves OS Platform based on time to live (TTL) value in the ping response: Windows, Linux/Mac, or Solaris/AIX (Solaris endpoints do not detect OS Platform)

The ping discovery causes a small amount of network traffic over time. You might choose to run it on a smaller part of the network or at a longer schedule interval.

When you configure level 2 discovery on a sparsely populated network, set the schedule Reissue every setting to an hour or more to prevent scans from overlapping. If scans overlap, data may never be gathered for the upper end of the scan range.

Value on Interfaces pages: ping

Level 3 (Nmap scan with host discovery)

The level 3 discovery method uses Network Mapper (Nmap) utility on each endpoint to find information about network interfaces.

When level 3 discovery is initiated on an endpoint, the scan range is calculated based on its peers in the linear chain. See Scan range calculation for more information.

Nmap scan host discovery finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints. This package consists of drivers (Windows only), libraries, and executable files. Then, an Nmap scan runs with an ARP broadcast scan only. If an ARP reply to the target is found, the endpoint is listed as available. No operating system or open port information is returned about the interfaces. Because level 3 discovery performs an ARP broadcast, you might see a spike in network activity at the beginning of the scan.

Endpoint files: The Nmap discovery method uses Npcap, a device driver, on Windows endpoints. For information about exclusions that might need to be enabled for Nmap, see Host and network security requirements.

Tanium installs Npcap on endpoints that do not have Npcap installed. By default, Tanium does not update the Npcap version on endpoints that already have Npcap installed. You can configure the scan profile so that Tanium updates Npcap on endpoints where Npcap was previously installed by Tanium. To install Npcap outside of a scan or to update Npcap on endpoints where Npcap was previously installed by another vendor, deploy the Discover-Install Npcap package to the targeted endpoints.

Tanium installs the following files:

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-[version]-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries and drivers that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. On Windows endpoints, Npcap is loaded on demand and is available to only admin users on the endpoint. Npcap files are installed in the C:\Program Files\Npcap directory.

Nmap is not supported on AIX or Solaris. If Nmap scanning is configured for endpoints on these platforms, the endpoints perform level 2 scans instead. Level 2 scans are also performed if the Nmap scan has any problems running on the endpoint.

For information about uninstalling Npcap, see Remove Npcap from endpoints.

Value on Interfaces pages: nmap

Level 4 (Nmap scan with host discovery and OS fingerprinting)

Like the level 3 discovery method, level 4 also uses Nmap to find unmanaged interfaces. Level 4 discovery also includes OS fingerprinting.

By default, Discover scans 1000 commonly used TCP ports to calculate the OS Generation field. (For more information, see Top 1,000 TCP and UDP ports (nmap default).) In the profile settings you can configure different ports to scan and can change the source port from which the scan originates. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

Endpoint files: The Nmap discovery method uses Npcap, a device driver, on Windows endpoints. For information about exclusions that might need to be enabled for Nmap, see Host and network security requirements.

Tanium installs Npcap on endpoints that do not have Npcap installed. By default, Tanium does not update the Npcap version on endpoints that already have Npcap installed. You can configure the scan profile so that Tanium updates Npcap on endpoints where Npcap was previously installed by Tanium. To install Npcap outside of a scan or to update Npcap on endpoints where Npcap was previously installed by another vendor, deploy the Discover-Install Npcap package to the targeted endpoints.

Tanium installs the following files:

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-[version]-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries and drivers that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. On Windows endpoints, Npcap is loaded on demand and is available to only admin users on the endpoint. Npcap files are installed in the C:\Program Files\Npcap directory.

Nmap is not supported on AIX or Solaris. If Nmap level 3 scanning is configured for endpoints on these platforms, the endpoints perform level 2 scans instead. Level 2 scans are also performed if the Nmap scan has any problems running on the endpoint.

For information about uninstalling Npcap, see Remove Npcap from endpoints.

Value on Interfaces pages: nmap

Scan range calculation

Discover caps scan ranges at the /22 range (1024 IP addresses). When a scan runs, the Tanium Client calculates scan range automatically.

With level 2-4 discovery methods, scans typically run only in the gaps between the managed interfaces. Scanning only in the gaps eliminates many of the common issues with network scanners that generate significant network traffic and trigger alarms in intrusion prevention systems (IPS) and firewalls.

Most endpoints perform forward scans to avoid overlaps in scanning from other endpoints. Endpoints with no backward peers also scan backwards to avoid any gaps in scans. Review the following scenarios to fully understand how scan ranges are calculated.

Scenario: Endpoint has forward and backward peers

A managed endpoint at address 192.168.1.10 has a forward peer at address 192.168.1.20 and a backward peer at address 192.168.1.5.

A forward scan occurs from 192.168.1.11 to 192.168.1.19. Because the IP address has a backward peer, a backward scan is not performed.

Scenario: Endpoint has forward peer but no backward peer

A managed endpoint at address 192.168.1.10 has a forward peer at address 192.168.1.20, but no backward peer.

A forward scan occurs from 192.168.1.11 to 192.168.1.19. Because the endpoint has no backward peer, a backward scan from 192.168.1.1 to 192.168.1.9 is performed.

A scan occurs from 192.168.1.1 to 192.168.1.19 (excluding the origin endpoint: 192.168.1.10).

Configure profile for distributed scan

Configure a profile for the distributed scan by defining which networks to scan, the discovery method, and a scan schedule.

Create profiles according to your deployment plan. See Develop a deployment plan. If you are using a by subnet deployment policy, test and continue to add subnets to the profile until you are comfortable using all subnets.

Before you begin

  • To scan portions of the network, you must know the IP ranges or the networks that you want to scan.
  • (Optional) Create a locations file to map physical locations to discovered interfaces. Assign users to specific locations to limit access to interface data to specific user groups. You can configure locations at any time because the locations are evaluated every time a Discover scan completes. For more information, see Locations.

    For the most complete results from the scan, import locations before configuring a profile. You can update locations later as you find more information about your networks.

Create profile

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Give the profile a name and select the Distributed profile type.

  3. Select a discovery method (level 1-4) and whether you want to include host name lookup. Host name resolution consumes some network resources, even with lower impact discovery methods.

    To help target installation of the Tanium Client on unmanaged interfaces, configure a scan that returns operating system information about the endpoints. Level 4 Nmap discovery provides the best results, but Level 2 ping scans also provide some operating system information.

  4. Select how Tanium manages the Npcap driver on Windows endpoints.

    • To use the existing Npcap version on the endpoint and not update to a newer version, select Use existing Npcap version. Tanium installs Npcap on the endpoint if it is not already installed. This is the default setting.

      If you update to the latest Discover version to Discover 4.1.240 or later from an older version, be aware that the default Npcap management behavior changed to no longer automatically update Npcap. To have Tanium continue to update Npcap on endpoints, select the Update Tanium version of Npcap option.

      Select this option if you plan to manually update Npcap versions.

    • To use the Npcap version included with Discover, select Update Tanium version of Npcap. Tanium updates Npcap if it is not on the endpoint or if Npcap was previously installed by Tanium. If Npcap was installed outside of Tanium, Tanium does not update Npcap. This is the recommended setting.

  5. Specify the ports to scan.
  6. Configure targeting. Targeting specifies the networks to include and exclude from the scan.
    1. Scan Inclusions: Specify networks that you want to scan.
      Typically, choose All Networks to include the broadest results. The All Networks option scans all networks that are accessible to the endpoints that are configured for the Discover action group. For the best results, configure the Discover action group to include all computers. For more information, see Installing Discover.
      To run scans on endpoints that are only in certain networks, select Specific Networks, then click . With this selection, results outside the scope of the selected networks are not included in the final report.
      To run scans on endpoints that are only in a certain computer group, select Computer Groups, then select the groups. With this selection, results outside the scope of the selected groups do not perform the selected scan.
    2. Scan Exclusions: Specify networks that you want to exclude from scans. Endpoints on these networks do not perform scans, and no results are returned from endpoints on these networks. Consider defining the following exclusions:
      • Isolated Endpoints: Prevent isolated endpoints from performing scans. To enable these endpoints to perform scans, clear the check box.
      • Specific Networks: List critical devices with fragile networking. These IPs are not contacted during the scan process. If any endpoints in this network are running the Tanium Client, these endpoints do not perform scans.
      • VPN Networks: List VPN subnets to avoid, including interfaces outside your corporate networks. If you do not define VPN networks as an exclusion, devices such as gaming systems and streaming devices from home networks might be discovered. If a managed endpoint is used on a public network, such as in a restaurant or airport, devices on those networks might be discovered if the VPN exclusion is not defined.
      • Zone Servers: Define internet zone servers to exclude endpoints connecting from internet locations. List the internet-accessible host names or IP addresses of the zone servers to be excluded. As a safety mechanism, if an endpoint that connects through a zone server cannot resolve a host name in a zone server exclusion, the scan is not performed on that endpoint. Configure either all IP addresses or all host names for your zone server exclusions and zone server name definitions. Mixing IP addresses and host names in the configuration and exclusions can have unexpected results.

      At a minimum, configure exclusions for VPN, zone servers, and critical endpoints with fragile network configurations.

  7. Configure the scan schedule and scan window.

    1. Schedule: The schedule defines how often to run the scan.
      Recommended scanning frequency is once an hour in most environments. If you are using level 2 discovery, set the Reissue every interval to an hour or more to ensure that the next scan does not begin before the current scan completes.

      The Ping Interval lets you set the time between ping scan attempts. In most cases, you should not need to change the default of 0 milliseconds. This field is available for level 2 discovery (Windows and Linux endpoints only).

    2. Scan Window (Windows, Mac, and Linux endpoints only): Configure specific times to run the discovery process on your endpoints. If a scan is scheduled to run outside the scan window, nothing is run as a part of the scan.
      The time can either be the local endpoint time of the Tanium Client (distributed scans) or satellite (satellite scans), or the local time of the Tanium user that is configuring the profile. For example, you can choose Local Endpoint Time and create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. If some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours, days, or weeks.
      The Duration of the scan window must be greater than or equal to the Reissue every plus Distribute over settings in the schedule section. If the value is set to less than the sum of these values, some endpoints never scan.

  8. Click Create.

Discovery process

After you save a profile, the following actions occur:

  1. Scheduled actions are created for the profile: Discover Content - Execute Scan [profile_name] and Discover Content - Execute Scan for non-Windows [profile_name].
  2. Scans run according to the defined schedule.
  3. Results of discovery scans are imported into Discover at the configured Import Frequency interval. For more information, see Configure import frequency.

If you have enabled Endpoint Configuration approval, configuration changes must be approved in Endpoint Configuration before they deploy to endpoints.

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons:

  • : Managed interfaces that have Tanium Client installed.
  • : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
  • : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

The profile type and discovery method that were used to find the interface return varying columns on the Interfaces pages. For more information, see Reference: Data returned by profile type.

Force import of scan results

Instead of waiting for the Reissue every time to pass, you can force an import of the most recent scan results.

  1. Go to the Discover Profiles page.
  2. Click Reimport Scan Results. When you click this button:
      • Distributed scan results are collected. If these methods are not active on the endpoints, no results are collected.
      • Satellite profile scan results are collected from the satellite.
      • Centralized profile scan results are collected from the Tanium Module Server.

      Clicking Reimport Scan Results does not force the execution of distributed, satellite, or centralized scans. The results for distributed scans are gathered if they are already distributed and active on the endpoints. For satellite scans, the results from the latest scan are collected from the associated satellite. For centralized scans, the results from the last scan are collected from the Tanium Module Server.

What to do next