I scheduled some scans to run over the weekend using WebInspect, but arrived at work today to find they all failed. This was the first time I had scheduled scans via WebInspect, as we usually perform this tasks through AMP without any issues.
Through the WebInspect Interface I was unable to find any information as to why the error had occurred. The only indication that an error had occurred was a Last Run Status of "Failure" against the schedule on the Manage Schedule Tab.
On investigating this further via the Windows Event Viewer, I came across the following error for the WebInspect Scheduler Service.
Scheduled scan 2f04068e-fe19-45bd-b084-8824d5a84e25 failed. Last 5000 characters of output:
Cannot Start Scanner because you do not have permission to run the selected policy.
Has anyone else come across this error before, or would you be able to tell me what the likely cause/fix for this error would be.
HI. I'm going to ask a number of questions regarding your WebInspect installation to perform a better diagnosis and resolution of the issue. The error message "Scheduled scan 2f04068e-fe19-45bd-b084-8824d5a84e25 failed. Last 5000 characters of output: Cannot Start Scanner because you do not have permission to run the selected policy." normally presents itself when WebInspect is configured to use AMP and because of an AMP permissions restriction the the user does not have the ability to run a scan with the policy selected. That's not to say this is what happened in your case. Lets find out. Here are the questions:
1) Is WI configured to use AMP? By that I mean does WI have to connect to AMP in order to run a scan?
2) When you go to manage scans (open scans) are there scan listings for any of the scans you had scheduled? if yes what happens when you open them? do you see the same listing in the scan log that you saw in the event viewer?
3) Is this a default WebInspect installation? did the schedule service user get changed to something other than the default (system)?
4) please let me know the first 6 characters of your activation token.
Thank you very much as usual for your help and sorry it has taken me so long to reply.
1) Yes, we are dependent on a connection to AMP in order to run a scan.
2) No, the scans are not displayed under Manage Scans.
3) I was not involved with the installation of WI or AMP, so unfortunately can't say. The AMP Sensor for WebInspect and WebInspect Scheduler Service Services on the WI Sensor are both set to "Local System account".
We have been running various tests in an attempt to try and resolve this issue. In doing so we have found that the error only occurs on Custom (user created) Policies. For instance we can schedule and run a scan using the standard OWASP Top10 Policy.
Thanks for all the valuable information. We'll try to reproduce the problem. In the mean time consider using AMP to schedule your scans. You should be able to upload the scan settings from WebInspect to AMP for use as a scan template.
you may also consider changing the schedule user to a named account that has AMP permission to use the selected policy.
if neither of those work, and we are unable to reproduce the issue here, then you'll need to work with the support team to get a virtual room open and maybe dig into the AMP custom policies. But lets cross that bridge later, if we come to it.
some questions that have come up here are:
Are there a specific reasons you are using webinspect's scheduler rather than the AMP's scan scheduling capabilities?
Could we setup a call with you to discuss features and usage?
I've taken your advice and uploaded the scan settings to AMP and am now running all scheduled scans through AMP instead of WebInspect.
Our main reason for using Web Inspect, instead of AMP, to schedule scans, was so we could browse the site tree after a scan and ascertain which pages had been assessed. We usually also export the site tree and edit/filter this through Excel to provide our clients a list of the directories/pages assessed. Our work-around for this at the moment is to download the scan from AMP to one of our sensors.
I have also noticed that not all of the ‘Other Exclusion/Rejection Criteria’ from my Web Inspect Scan settings is imported to AMP, when transferring these settings?