Scan takes forever

Scan is very slow my machine has 8 CPUs and 16 GB of RAM yet the scan only reached 8% after 1.5 hours.
I am only scanning a /24 subnet with about 60-70 alive hosts.
free -m
total used free shared buff/cache available
Mem: 15872 1790 6497 147 7584 13605
Swap: 521 0 521

CPUs are at 100% all 8 of them. Is that expected? Is that normal?
The scan is set to scan 4 hosts at one time

GVM versions

gsad: 9.0.1
gvmd: 9.0.1
openvas-scanner: 7.0.1
gvm-libs: 11.0.1

Environment

**Operating system: Centos 8
**Kernel: Linux 4.18.0-193.14.2.el8_2.x86_64 #1 SMP Sun Jul 26 03:54:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
**Installation method / source: source

1 Like

A simple way for some insight into what is going on is to start “htop”, filter for “openvas”, select hierarchical view and configure htop to update process titles as well.

You can then see and follow the single tests, given with filenames. Perhaps it gives you already a clue what might be delaying the scan. And if you feel like a nerd you can strace’ing long-running scans directly from htop, or lsof’ing – to get some deep insight.

Depending on targets, scan scope and network, what you observe might be normal. But there might also be some opportunity to improve scan performance. If such a scan takes more than 8 hours, then I would say there is some flaw. Any of my scans with a comparable target size need less than 1 hour, though.

1 Like

Please see the screen shot attached. at this moment in time the CPU load has dropped down.

Which scan config did you use? E.g. testing UDP ports will take a lot of time.

2 Likes

I am using Full And Fast always

1 Like

At a quick glance the situation seems to be normal. However, your machine is running at least 2 scan tasks in parallel. I suggest to wait.
Personally I prefer the tree view (toggle with F5).

1 Like

it does run two tasks in parallel because i’ve set the tasks 1 hour apart thinking they first one will be done before the second starts but i guess i was wrong.

I am thinking maybe some time-out settings need to be tweaked?

This is how it looked about 4 hours ago. now one of the tests is done the other is at 60 %

Looks like normal scanning, no blocking situation, no bug.
Would you regard your initially reported issue as solved?

1 Like

Your scan-time depends on many parameters like Port-List, Timeouts, e.g. if you scan all UDP ports every host might have “65565 * UDP Timeout / Max-Paralell per Hosts” then your host-alive criteria is very important, a best practice would be a ICMP-Ping Alive, the default might detect running ghosts hosts depending on your network.
If you have for example Proxy-Arp, that will ruin your scan time. So you need to know what Ports, UDP will slow your scan massive down, TCP and ICMP Ping Alive might be faster but if you need to discover services behind a firewall you need other settings.
The default values are a best practice from the security point of view not the speed !

1 Like

While i do agree that scans might take a long time to finish 21 hours it looks to me a bit too much. I will play around with the settings to see if i can bring it down a bit. Are there any settings for timeout that i can alter?

1 Like

Quick Questions:

Do your hosts have firewalls or personal firewalls active ?

Do you run against UDP as ports ?

Do you have ICMP ping and only scan alive hosts ?

All IANA Assigned TCP Ports would be a good start … if any of this questions is a yes, your time could be 21 oder 24h … normally you can scan a bigger network in much less time.

1 Like

Do your hosts have firewalls or personal firewalls active ?
Yes
Do you run against UDP as ports ?
No. All IANA TCP is setup
Do you have ICMP ping and only scan alive hosts ?
Yes

Try to repeat your scans with all firewalls deactivated.

1 Like

unfortunately that is impossible

They you have to live with longer scan times. I repeated my authenticated scan test with a /23 with 162 hosts, and that finished in 3.5h.

1 Like

Hi,
as soon as you have a somehow capable machine, scan time does not depend on the scanner mostly.
What is a capable machine? A system not overwhelmed by the number of processes started. GVM starts a process for every NVT. It does by default up to 4 NVTs per host and 20 hosts in parallel, resulting in up to 80 processes.
If your machine has still enough power to run these processes scan times always depend on the hosts that are scanned and their response times. Especially if (local) firewalls are involved on the scanned hosts which do not reject (recommended) but drop unwanted packets.
I always recommend customers to first scan a single host to get an impression. Scans of a /24 might take anything between 1-2 hours and even days depending on your network environment.
Still based on your environment you could probably increase the number of hosts scanned in parallel and maybe even the number of NVTs per host. This is done in the task configuration. But then you should not run two scans at the same time. It might be too much for your scanner.

Ralf

2 Likes

Hi. the machine has 8 vCPUs and 16 GB RAM and it is ran off an SSD if that matters.
I have had issues before with more than 4 hosts at the same time and more than 4 NVTs per host where the scan would just hang and never finish so right now i came down to 4 and 4 and it took 20 hours and 56 minutes for a /24 with 125 hosts. The hosts are both physical and virtual and also a mix of Windows, Linux, VMware(also linux), Switches and Cisco Firewalls.
Looking at the time the VMware hypervisors took between 45 minutes and 1 hour each and there is 7 of them.

Hi,
as Lukas and Jan already pointed out, this is not unusual but actually expected if you do have (local) firewalls enabled (especially in dropping mode).

Ralf

1 Like

3 posts were split to a new topic: No redis DB available