John, VMWare is a good tool but you have to take it for what it is and work around it's short comings to make it work properly if you have a high I/O application.
When I set up a server that will run VMWare for VM's, I often make a number of changes to the system to prevent to much swap / caching of memory. I usually limit swap/cache to 1 or 1.5 times the total memory of the system. In the case of a Windows system I set the cache initial size to the full size of cache and do not let it grow, this prevents it from becoming fragmented. Often I'll turn off all swap/cache on a Windows system and run a disk defragmentation many times, then enable the swap/cache to its full size so that I know that it will be a contagious file and not fragmented and that it will be earlier on the disk for faster seek times, I actually tend to do this when I first build the system, well before any applications are installed. VMWare settings: Network: keep it bridged. Memory: Give the VM as much memory as you believe you would need for a system natively doing this tasks. If you short change the system you will introduce a lot of lag as it caches out of the host system running VMWare and it's own caching. Nessus has timeouts for scanning and for NASL connections, if your system is slow at responding because it does not have enough memory, it will miss connections and your scan will be missing data, at best. If this is a Windows 2003 server, give it 500MB, the OS needs it. Also remember that Windows XP has a decremented IP stack since the implementation of SP2. See the KB I've attached below from our customer portal about this issue. Since you are running a VM, I'd recommend throttling down the scan even more for better reliability in the results. Increase the memory for the VM and slow down your scans for now and see how it goes. Regards, -- Dan Daniel Bowman Director of Support & ITS Tenable Network Security mailto:[EMAIL PROTECTED] http://www.tenablesecurity.com/ Knowledgebase ARTICLE SUMMARY: Nessus Windows, Server vs. XP SYMPTOMS: Is there a difference in running Nessus Windows on Windows Server (2003) versus Windows XP (Home & Pro)? RESOLUTION: Microsoft added changes to Windows XP SP-2 (Home & Pro) that can impact the performance of Nessus Windows and cause false negatives. The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate; 10 per second). If too many enter the queue, they may be dropped. See the following Microsoft TechNet page for more information: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx This has the effect of causing a Nessus scan on Windows XP to potentially have false negatives as XP only allows for 10 new connections per second that are incomplete (in a SYN state). For better accuracy it is recommended that Windows XP system have it's port scan throttled down to the following which is found in the individual scan configuration for each scan policy. Max number of hosts: 8 Max number of security checks: 4 ... Max number of packets per second for a port scan: 50 For increased performance and scan reliability it is highly recommended that Nessus Windows be installed on a server product from the Microsoft Windows family like Windows 2003 Server. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 09:26 To: Nessus Subject: Nessus 3 for Windows and VMWare Question Hello everyone, I'm testing Nessus for WIndows (3.0.3 Build W334) and VMWare Server )1.0.1 build-29996) on various Laptops, when I run Nessus 3 from the host my reports are the same, when I run Nessus 3 from VMWare the reports are different. Does anyone know of any issues with Nessus 3 and VMWare? I have the nic configured to bridge, should I change it to NAT? Does anyone know of VMWare/Nessus config? Thanks to everyone in advanced Take Care and Have Fun --John _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
