The system passively detects the identity of the operating
system running on a host by analyzing the network and application stack in
traffic generated by the host or by analyzing host data reported by the User
Agent. The system also collates operating system information from other
sources, such as the Nmap scanner or application data imported through the host
input feature. The system considers the priority assigned to each identity
source when determining which identity to use. By default, user input has the
highest priority, followed by application or scanner sources, followed by the
Sometimes the system supplies a general operating system
definition rather than a specific one because the traffic and other identity
sources do not provide sufficient information for a more focused identity. The
system collates information from the sources to use the most detailed
Because the operating system affects the vulnerabilities list
for the host and the event impact correlation for events targeting the host,
you may want to manually supply more specific operating system information. In
addition, you can indicate that fixes have been applied to the operating
system, such as service packs and updates, and invalidate any vulnerabilities
addressed by the fixes.
For example, if the system identifies a host’s operating system
as Microsoft Windows 2003, but you know that the host is actually running
Microsoft Windows XP Professional with Service Pack 2, you can set the
operating system identity accordingly. Setting a more specific operating system
identity refines the list of vulnerabilities for the host, so your impact
correlation for that host is more focused and accurate.
If the system detects operating system information for a host
and that information conflicts with a current operating system identity that
was supplied by an active source, an identity conflict occurs. When an identity
conflict is in effect, the system uses both identities for vulnerabilities and
You can configure the network discovery policy to add discovery
data to the network map for hosts monitored by NetFlow exporters. However,
there is no operating system data available for these hosts, unless you set the
use the host input feature to set the operating system identity.
If a host is running an operating system that violates a
compliance white list in an activated network discovery policy, the
marks the operating system information with the white list violation icon
In addition, if a jailbroken mobile device violates an active white list, the
icon appears next to the operating system for the device.
You can set a custom display string for the host’s operating
system identity. That display string is then used in the host profile.
Changing the operating system information for a host may change
its compliance with a compliance white list.
In the host profile for a network device, the label for the
Operating Systems section changes to Systems and an additional Hardware column
appears. If a value for a hardware platform is listed under Systems, that
system represents a mobile device or devices detected behind the network
device. Note that mobile devices may or may not have hardware platform
information, but hardware platform information is never detected for systems
that are not mobile devices.
Descriptions of the operating system information fields
displayed in the host profile follow.