Some devices not scanning properly

chrisburke2 · 2016-05-20T14:43:11.000Z

I’m having an issue with my scans. I am running Active Directory (2008R2) and all PC’s are Windows 7. I’ve added exceptions to the firewall via GPO to Allow inbound remote administration and ICMP exceptions. I’ve verified on a device that won’t scan properly that the policy is being applied correctly. When I run my network scan, the device is added to Inventory, but I have no details regarding the device (software, CPU, RAM, etc.). When I select the device and choose to rescan, I see that port 135 is not listed as open. I can turn off the firewall and it will try to conduct the scan, but once it completes I still don’t have any details. I guess my question is two-fold:

Has anyone had any issues where the policy is applied correctly but the scan still can’t be completed unless the Firewall was turned off?
Has anyone had any issues where the computer is able to be scanned, but there were still no details returned?

What’s really puzzling is that it appears to happen randomly as 50%-60% of the computers are scanned properly while the remainder are having issues.

Thanks in advance,

Chris

will-f-sw · 2016-05-20T16:39:56.000Z

Hi Chris. Welcome to the Community!

This can be caused by a couple different issues. Have you gone through our documentation below in regards to resolving unknown devices? If not, try running the WMI commands from the the Spiceworks host on a couple of these unknowns and see if you are able to get the serial number. Those commands can be found under the “Resolving Unknown Windows Devices” section of the doc:

https://community.spiceworks.com/help/Resolving_Unknown_Devices

chrisburke2 · 2016-05-20T17:35:05.000Z

If I disable the firewall on the device, I can perform the WMI commands with no issues. If I then try to re-scan the device, I get a message stating “Yep! Worked, we’re scanning the device now” and once the scan goes away, it doesn’t appear that it updated anything. I still don’t have any details about the pc.

Spice.png800×533 59.3 KB

Spice2.png664×763 25.1 KB

Rod-IT · 2016-05-20T18:20:40.000Z

Your screenshot shows WMI as closed.

ports 135 in the above

chrisburke2 · 2016-05-20T19:40:08.000Z

I see that. Does the wmic utilize that port? If so, when I disable my firewall, the command referenced in the article by Will works without any issues. I don’t know why it shows the port as closed in Inventory. I’ve also set specific rules on the firewall to ensure it’s open and when I run netstat -a to view active ports, it shows active for 0:0:0:0 and [:::], but not for my network IP Address. I’m not sure how to make it active for my network IP Address.

Rod-IT · 2016-05-20T19:42:09.000Z

WMI uses port 135 as shown in the image.

If you use windows firewall and nothing else, try this;

Run a Command Prompt as Administrator on the machine that is failing, and enter / paste the following (without quotes):
“netsh advfirewall firewall set rule group=“windows management instrumentation (WMI)” new enable=Yes”

chrisburke2 · 2016-05-23T14:13:49.000Z

Tried that and still no go. I’m looking at several of the workstations that are experiencing this issue and they all use the same group policy settings, same firewall settings, and same anti-virus settings, so I’m curious as to what is wrong with these particular machine. I’d be pulling my hair out if I had any left!

What is most puzzling is that according to the documentation, ports TCP 135 & 445 along with UDP 139 need to be open. I see where (netstat -an) port 139 is open on my network IP Address, but 135 & 445 show only to be open on the 0.0.0.0 and [:::] addresses and not my network IP Address. Think if I can figure that one out I can get the problem fixed.

Rod-IT · 2016-05-23T16:19:15.000Z

I’m pretty sure your file and printer sharing is still disabled.

Ignoring the firewall, right click network and sharing centre (the network icon) go to advanced sharing settings and turn on file and printer sharing - you may as well enabled discovery too.

re-scan this machine

chrisburke2 · 2016-05-24T19:02:13.000Z

Ok, sorry it took so long to get back on this. I went into my network settings and file and printer sharing were already enabled, as was discovery. I also checked a device that is being scanned properly and turns out it’s netstat results were the same as my workstation. When I view the device that scans correctly in inventory however, it shows WMI open.

I’ve disabled the Windows Firewall and my anti-virus. I’ve added specific rules to both firewall and anti-virus for ports 135, 139, and 445. Nothing can seem to get through however. Event when I disable both, it still can’t seem to work for these devices. I’ve verified the WMI service is running and through computer management have verified that the local administrators group has full access to WMI. The account I’m using to log onto the device is part of the local admins group. Is there anything else that I’m missing?

Rod-IT · 2016-05-24T19:06:00.000Z

I may have missed it, but what version of windows is this, 7, 8, 8.1, 10, home, pro, enterprise, education, starter etc.

Do you have any IDS or IPS on the network?

Anything in the devices event logs?

chrisburke2 · 2016-05-24T19:10:43.000Z

Sorry, Windows 7 SP1 Pro. IPS is running on the endpoint, but it’s running on all PC based endpoints. I did check event logs earlier and didn’t see anything. I’ll run another scan and see anything turns up.

Rod-IT · 2016-05-24T19:14:06.000Z

IPS unless told otherwise will block SW scans - you need to add the SW servers IP to trusted then -rerun the scan, it may already be added on the others - I can’t answer that, but if IPS/IDS doesn’t trust the scanning IP, it will block it and no end of firewall rules or WMI configurations will help.

Check your IPS logs

chrisburke2 · 2016-05-24T19:17:59.000Z

Ok, I’ve got to leave for the day. Will try in the morning. Thanks for all of your help!

chrisburke2 · 2016-05-25T17:36:47.000Z

I tried it by completely disabling the endpoint IPS but had the same result. I’ll research it some more about what on the Windows side might be causing that port to show closed. Again, I appreciate your help so far.

Rod-IT · 2016-05-25T17:38:31.000Z

If Spiceworks doesn’t find it on a subnet scan and it’s showing as not there, then something on the client is blocking this - or something on the network if you have a network wide IPS

chrisburke2 · 2016-05-25T17:45:01.000Z

Might be some obscure GPO setting that I’m overlooking. I’ll see what else I can to check and go back over that. I’ve tried disabling the firewall, av, and ips on the device and still can’t get it to scan, so it has to be something else. Oh well, I’ll keep trying…

Rod-IT · 2016-05-25T18:22:10.000Z

Do keep us posted and if you need any guidance we’ll try to assist.

Bare in mind if your IDS is scanning the network this itself maybe stopping it before it gets to the device.