Tuesday, April 27, 2010

WebInspect, background processes, and Windows services

HP WebInspect installs with two active Windows services running by default. Being "old school" and primarily DOS-taught, I dislike unnecessary services eating up memory, even though small by today's standards. Here is the reasoning and purpose for these particular services.

Services Installed

First service is the "WebInspect Scheduler". This is actually used by WebInspect, but only if the user plans to run assessments via the Scheduler tool. This service ensures that the scheduled job will run even if the WebInspect UI is closed. If you never plan to use the Scheduler, or only rarely, change this service from Automatic to Manual or Disabled. If set to Manual, you can always start it up from the HP ASC Monitor process mentioned below.

The second service is completely unnecessary for the WebInspect user, and that is the "AMP Sensor for WebInspect" service. This is only needed if you are connecting this workstation to an HP AMP Manager server to serve as one of its remote scan engines. If that is you, and you also have a copy of WebInspect, you will want to separate these to two separate workstations anyways. The reason is that while you may be happily running up to two assessments in the WebInspect UI, the AMP Sensor service might also be running a third in the background for some user on the AMP infrastructure, resulting in poor performance for you. So if you use AMP, install and configure the Sensor somewhere else, and whether you do or do not use AMP, set this service to Disabled on your WebInspect workstation.

Lastly, there is a helper process that runs in the System Tray known as the "HP ASC Monitor". It looks like a "black hat hacker" icon, and is just a short-cut to stop and start the two services mentioned above, or to configure the AMP Sensor's connection to the AMP Manager. This process can be closed without issue. You can always bring it back from the Windows Start Menu, under the HP WebInspect listing.

Running Processes

Now let's cover the actual processes used while scanning. Obviously the WebInspect.EXE process is the WebInspect application itself. If you happen to run the command-line version, you will see those scans being run by WI.EXE.

You may also see the ScriptServer.EXE from time to time, eating up an especially large amount of resources when scanning script-dense web sites. This is a helper process that parses the scripts for the WebInspect executable. This was built to avoid the natural .NET limitations in per-process memory use. Even if you have loads of installed RAM, the .NET framework has natural limits on the total memory any individual process may use, so by splitting this load between two processes the WebInspect scanner can chew on more of your site. Nice, eh? The ScriptServer process will appear and disappear as it is needed, and if it crashes it just respawns and continues without a hitch from where it left off. If you wish, you can kill this process and it will rebuild itself, which I have to admit to using on some pen tests when resources and screen activity seemed a little frozen.

Special Services

If you were to watch the WebInspect start-up via a network sniffer, you will find a series of requests being made. One series will be DNS checks for any Host Names specified in your Allowed IP Ranges attribute of your product license. Another series will be secure web requests being made to the HP SmartUpdate portal and their license service. If your license was recently updated, this process will fetch your new capabilities. The SmartUpdate service will fetch any updates to the vulnerability database and/or the product binaries, provided your license has not expired. Got to pay that Maintenance fee!

A rarer service that may occur is the Support Channel feature. When marking a False Positive, there is an option to send the item in question as quality feedback to the HP research team anonymously. This bundle of data may be sent immediately or queued to run once a connection can be made. There are similar ways to send enhancement requests or bundles of support-related data from the Help menu, but all of these use the Support Channel function. Those Messages you see in the Start Page tab are also delivered as part of the Support Channel check-in.


1 comment:

  1. One thing I noticed in the May release of WebInspect 8.1 is that the services I previously Disabled got set back to Automatic. I guess they did that to ensure I had the best product, but you will want to recheck your own WebInspect service configurations after any major update.