Types of scans in Nebula

There are four different types of scans available in Nebula. The Threat, Hyper, and Custom scans check for threats and the Inventory & Vulnerability scan updates the endpoint information in the console. This article explains the types of scans and the options available for each.

Scans may be run manually across endpoints or scheduled at a time that works best for you. Options for scans are set within a policy.

• For more information on initiating a scan from the console, see Perform actions on endpoints in Nebula.
  • Threat Scans can be initiated on a local endpoint by right-clicking on the Endpoint Agent tray icon and selecting Start Threat Scan.
• For more information on scheduled scans, see Set scheduled scans in Nebula.

Threat Scans

Threat Scans detect most common threats by scanning conventional locations on an endpoint where threats can occur. Threat Scans use heuristic analysis, a technique that looks for certain malicious behaviors in files that Nebula hasn't seen before. 

Threat Scans check the following on your endpoints:

• Memory Objects: Memory allocated by operating system processes, drivers, and other applications.
• Startup Objects: Executable files and modifications made during computer startup.
• Registry Objects: Configuration changes made to the Windows registry.
• File System Objects: Files that may contain malicious programs or harmful code snippets.

You may also select:

• Quarantine found threats automatically: Immediately quarantine threats when they're detected. If not selected, the file will not be automatically quarantined.

We recommend running a Threat Scan daily to keep your endpoints safe. For more details on changing Threat Scan settings, see Scan Settings in Nebula overview. 

Hyper Scans

A Hyper Scan is a quick scan that detects and cleans threats. If a Hyper Scan finds any threats, run a Threat Scan to check for threats at a deeper level.

Hyper Scans check the following:

• Memory Objects: Memory allocated by operating system processes, drivers, and other applications.
• Startup Objects: Executable files and/or modifications made during computer startup.

You may also select:

• Quarantine found threats automatically: Immediately quarantine threats when they're detected. If not selected, the file will not be automatically quarantined.

Custom Scans

Custom Scans enable you to specify precisely what to scan. This scan is configured on the Configure > Schedules screen or can be run from the Manage > Endpoints page. For more information, see the following:

• Set up scheduled scans in Nebula
• Perform actions on endpoints in Nebula

When choosing a Custom Scan, the following settings are available:

• Quarantine found threats automatically: Immediately quarantine threats when they're detected. If not selected, the file will not be automatically quarantined.
• Scan memory objects: Scans memory used by operating system processes, drivers, and other applications.
• Scan startup and registry settings: Scans executables that are started at boot and changes to the registry that can affect startup behavior.
• Scan within archives: Archive files are scanned, up to four levels deep. Encrypted archives are not scanned. Archive file types include ZIP, 7Z, RAR, CAB and MSI.
• Scan for rootkits: Scans the system kernel, firmware, and memory for rootkits. This may increase the time required to complete a scan and impact performance as it takes longer to read the disk in order to avoid interference from rootkits.
• Scan all local drives on endpoints: Scans all local drives hosted on an endpoint. Does not scan mounted or external drives unless specified in the Scan Path. 
• PUPs/PUMs: Choose whether Potentially Unwanted Programs and Potentially Unwanted Modifications are considered malware or ignored.
• Scan Path: The top-level folder for the Custom Scan.
  • Use the drive letter to scan specific drives. For example, C:\.
  • Separate multiple directories with a comma. For example, C:\, D:\. 
  • Use the file/folder path to scan specific files or folders: C:\Temp\Test.

We recommend running a full scan that checks all local drives on endpoints on a weekly basis.

Inventory & Vulnerability Scan

An Inventory & Vulnerability Scan looks at which Software Management settings are enabled in the group policy. The scan then retrieves the specified information from each endpoint and updates the endpoint details in the console. We recommend running this scan on a daily basis to keep endpoint information up-to-date.

Adjust Software Management settings in a policy

1. Go to Configure > Policies.
2. Select a policy, then scroll down to Software Management.
3. Check a box per OS for each event that you want updated by a Inventory & Vulnerability Scan.
4. Click Save.

Information collected during the asset scan is updated on the Endpoint Properties screen. Information scanned may include:

• Storage Devices: Connected storage, USB storage, and other devices.
• Memory Objects: Physical and virtual memory of the endpoints. 
• Startup Programs: Registry entries for installed startup programs on the endpoint.
• Installed Software: Software installed on the endpoint.
• Software Updates: Software updates that occurred on the endpoint.

To view Endpoint Properties, go to Manage > Endpoints and click on an endpoint name. View more information on the endpoint by selecting the tabs at the top of the Endpoint Properties screen.

For more information on Endpoint Properties, see Manage endpoints in Nebula.

Notes

• If an endpoint is offline, scan results are stored locally on an endpoint until the system can connect back with Nebula.
• Nebula does not scan network or shared drives across endpoints.