Virginia Tech® home

Vulnerability Scanning

The IT Security office conducts vulnerability scanning at Virginia Tech. Vulnerability scans are designed to identify potential vulnerabilities in operating systems, application software, and network devices. A vulnerability scan can target a specific type of system (e.g. web server) or be a broad, exhaustive audit of an operating system.

What to Expect

The IT Security office will schedule a time with you to scan your devices, as well as establish the scope of the scan. After the scan has been completed the IT security office will provide a complete copy of the vulnerability scan report.

Request a Scan

Vulnerability scans can be requested through the Virginia Tech ServiceNow Catalog. Once submitted, an analyst with the Security Office will contact you to discuss the details of the scan.

Request Vulnerability Scan (ServiceNow)

Vulnerability Scanning Overview

Why do we scan for vulnerabilities?

In order to reduce information security risks, the Virginia Tech IT Security Office (ITSO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide. The ITSO may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers.

Which systems/services/applications may be scanned?

All systems and applications connected to the campus network may be scanned. Systems and applications hosted in other networks using university domain names will also be in scope for assessment.

When will vulnerability scans be conducted?

High risk systems will be scanned monthly and as needed to ensure vulnerability remediation has occurred.

Is it possible some reported vulnerabilities are false positives?

Yes. If you believe a reported vulnerability is a false positive or does not apply to your system in a specific context, please let us know.

From where will vulnerability scans originate?

  • booberry.iso.vt.edu
    • 198.82.145.75
    • 2001:468:c80:212f:0:40b0:b00:b00
  • cheerios.iso.vt.edu
    • 198.82.145.71
  • cornflakes.iso.vt.edu
    • 198.82.145.70
    • 2001:468:c80:212f:0:40f8:f124:1e24
  • oats.iso.vt.edu
    • 198.82.145.74
    • 2001:468:c80:212f:0:4054:231:5105
  • stream.cirt.vt.edu
    • 128.173.54.101
    • 2001:468:c80:c111:0:4041:bad0:cad

What data is collected and how will it be used?

Vulnerability scanning collects an inventory of potential vulnerabilities and classifications (Critical, High, Medium, Low, Informational). This data is treated as confidential university data.

What Information Security Policy and Standards is this based on?

The ITSO’s minimum security standard requires that any system or application in scope be regularly assessed for security vulnerabilities:

Minimum Security Standards for Systems

Virginia Tech Minimum Security Standards

Acceptable Use of Information Systems at Virginia Tech

Acceptable Use Policy

Vulnerability Types

Note: If Critical and High vulnerabilities are not remediated, the ITSO may take action to isolate or remove vulnerable systems from the network.

Severity Required Remediation
Critical Vulnerability must be remediated within 7 days.
High Vulnerability must be remediated within 14 days.
Medium None
Low None
Info None