External Vulnerability Scan Interference

When External Vulnerability Scan reports generated by Network Detective do not reference “known” Open Ports for scanned External IP addresses, this likely indicates that an Intrusion Prevention System (IPS) is blocking the external vulnerability scan resulting in a “Scan Interference” condition.

 

To resolve this Scan Interference problem, you must configure any external threat detection and defense measures to accept connections from the Network Detective External Vulnerability Scanning system.

 

These external threat detection systems are varied, and might include or be referred to as IPS (Intrusion Prevention Systems), Anomaly Detection and Prevention, WAF (Web Application Firewalls), TCP SYN Flood Protection, NMAP Port Scan blocking, etc.

 

IPS is often designed to block any irregular or aggressive packet activity deemed by the IPS as being suspicious or potentially malicious. Because of this, IPS devices block the external vulnerability scanner’s packets because the system sends many requests over a short time.

 

To prevent this issue, the following IP Addresses of the External Vulnerability Scanning system should be “whitelisted” within your device’s defense measures:

 

104.36.109.64/27

104.36.109.68-104.36.109.94

 

199.38.219.160/27

199.38.219.164-199.38.219.189

 

199.38.222.183
199.38.222.66
199.38.222.67
199.38.222.68
199.38.222.69

199.38.222.70
199.38.222.71
199.38.222.72
199.38.222.73
199.38.222.74

199.38.222.75
199.38.222.76
199.38.222.77
199.38.222.78

 

 

 

 

In addition, we recommend that you refer to your device manufacturer’s documentation to identify all detection and defense features for the devices you are scanning. Then configure the devices to enable the Network Detective External Vulnerability Scanner to successfully access the ports that are known to be open and unfiltered.

 

Please keep in mind that multiple devices can block traffic at any point and you should consider all upstream devices and if your ISP is blocking traffic as well.  In some cases where upstream providers might be interfering with scans, you may not be able to achieve perfect scans each time and a repeat monthly scans with verification would be the best approach to getting the best coverage possible.

 

We do offer as an alternative to use our ASV scan service (from our scanning partner Server Scan) which provides PCI DSS compliant scans.  The ASV scan is more comprehensive and runs unsafe as well as safe scans which may provide better detection.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!