Is single host scan better than full segment scan?

i might be wrong cause i’m using the python-gvm tool to talk with the api but
when scanning 1 win xp host with smb creds i’m getting alot more vulnerabilities than when i scan the full segment including this host. on the full segment scan i get only part of the results for this host.

using openvas 20.08 and all the relevant scanner tools with same version.

Hi @traubas,
the scanner main process creates a new process for each host in the target list. Each host is independent on the other ones. The hosts in the target list just share the scan config, port list and preferences. Therefore, the amount results for a host should be the same, for a single host target or host list target.
A single host authenticated scan (using credentials) will produce more results than a non-authenticated scan.
Is your network able to handle all the traffic generated by the scanner? is there any firewall in the middle? did you see some error in scanner the log files?

2 Likes

In addition to this it might be also a lack of available redis databases (insufficient redis configuration) if a larger network range is getting scanned. See the following topic for some notes on the required redis config:

A misconfigured redis and the available databases will affect the scan duration, because a host needs a free db and must wait for other host to finish.
An advantage of a multi host target/large network range scan is the memory usage, as each task requieres an extra db in redis, an extra openvas main process, and an extra ospd-openvas process handling the task. Gvmd will also fork processes per task. So, a single task with many hosts is better from the memory usage point of view.

Although, these should not affect the amount of results per host.

1 Like