Windows - Configuration Management - Network Scan

What the network scanner does

This Automox Worklet™ performs comprehensive network reconnaissance by scanning specified subnets in CIDR notation (for example, 192.168.1.0/24). The Worklet discovers active endpoints on your network and tests connectivity to the top 20 well-known TCP ports including SSH (22), HTTP (80), HTTPS (443), RDP (3389), SMB (445), and DNS (53).

For each discovered endpoint, the Worklet attempts to retrieve the hostname through reverse DNS lookup and the MAC address from the local ARP cache. All results are compiled into a CSV-formatted report and output to the Automox Activity Log, making it easy to parse and integrate with third-party security tools and inventory systems.

The Worklet uses asynchronous concurrent scanning with configurable throttling to optimize performance based on endpoint CPU capacity. You can adjust scan intensity (LOW, MEDIUM, HIGH, EXTREME) to balance speed against accuracy, with lower settings completing faster but potentially missing some open ports.

Why you need network discovery and assessment

Security teams struggle to identify unauthorized endpoints on their network segments. Unknown endpoints connecting to your infrastructure create blind spots that attackers exploit. Without network discovery, you cannot verify that all active endpoints are properly managed and compliant. Network discovery is fundamental to IT security and compliance. Organizations cannot secure what they cannot see. This Worklet helps you identify unknown or rogue endpoints connecting to your network, detect open ports that may indicate exposed services, and maintain an accurate hardware inventory including MAC addresses for access control.

Security teams use network scans to validate firewall rules, identify potential attack surfaces, and support vulnerability assessments. Compliance frameworks including PCI-DSS, HIPAA, and SOC 2 require documented evidence of network discovery and monitoring. This Worklet automates the discovery process and distributes it across your endpoint fleet for comprehensive visibility without requiring a separate scanning appliance.

Network inventory maintained through regular scans helps IT operations teams track hardware lifecycles, plan capacity, and correlate network activity with endpoint management events. The CSV output integrates with spreadsheets, databases, and SIEM platforms for centralized analysis.

How network subnet scanning works

1. Evaluation phase: The Worklet evaluates the current endpoint to determine which network to scan. If no network is specified, it automatically detects the endpoint's local subnet using its assigned IP address and subnet mask. The evaluation also parses any custom network ranges provided in CIDR notation.

2. Remediation phase: The Worklet enumerates all IP addresses in the target subnet(s) and launches concurrent TCP connection attempts to specified ports on each IP. It respects the ThrottleLimit setting to avoid overwhelming the endpoint–for example, with a limit of 8, it tests 8 concurrent IPs at a time. For each responding IP, the Worklet attempts reverse DNS resolution and ARP lookup, then outputs results as CSV rows to the Activity Log with columns for hostname, IP address, MAC address, open ports, and failed ports.

Network scanning requirements

• Supported on Windows 10, Windows 11, and Windows Server 2016 or later

• Requires PowerShell 5.0 or later with local administrator privileges

• Network parameter accepts comma-delimited list of subnets in CIDR notation (for example, 192.168.1.0/24,192.168.2.0/24)

• Ports parameter accepts an array of TCP port numbers; defaults include FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53), HTTP (80), POP3 (110), RPC (135), NetBIOS (139), IMAP (143), HTTPS (443), SMB (445), SMTPS (587), IMAPS (993), POP3S (995), PPTP (1723), MySQL (3306), RDP (3389), PostgreSQL (5432), VNC (5900), and HTTP Proxy (8080)

• Accuracy parameter affects scan timeout: LOW (100ms), MEDIUM (250ms), HIGH (500ms), EXTREME (1250ms per connection)

• Throttle limit defaults to the greater of 8 or the endpoint's logical processor count to prevent resource exhaustion

• Network connectivity is required; the scanning endpoint must be able to reach target IP addresses (not blocked by firewall rules or routing)

• Compatible with RunNow on-demand execution and automated vulnerability remediation (AVR) scheduling

Expected network discovery output

After execution, your endpoint will have completed a comprehensive network scan and logged results to the Activity Log. The Activity Log will display a CSV-formatted table documenting all discovered endpoints and their open ports. Each row includes the hostname (or 'Unknown' if reverse DNS fails), IP address, MAC address (or 'Unknown' if not in ARP cache), comma-separated list of open ports, and comma-separated list of ports where the connection attempt failed or timed out.

You can copy the CSV output directly into a spreadsheet, database, or SIEM for further analysis. For network segments with many endpoints or slow connectivity, increase the Accuracy setting (which increases the timeout) to capture ports on slower or heavily congested networks. The Worklet handles partial failures gracefully–if reverse DNS or ARP lookups fail for an endpoint, it still reports the IP address and port scan results.

How to validate network scan changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for network scan.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as NETBIOS-SSN, Write-Verbose, Get-NetIPAddress, then rerun evaluation for compliance.