Scan is very slow my machine has 8 CPUs and 16 GB of RAM yet the scan only reached 8% after 1.5 hours.
I am only scanning a /24 subnet with about 60-70 alive hosts.
free -m
total used free shared buff/cache available
Mem: 15872 1790 6497 147 7584 13605
Swap: 521 0 521
CPUs are at 100% all 8 of them. Is that expected? Is that normal?
The scan is set to scan 4 hosts at one time
A simple way for some insight into what is going on is to start “htop”, filter for “openvas”, select hierarchical view and configure htop to update process titles as well.
You can then see and follow the single tests, given with filenames. Perhaps it gives you already a clue what might be delaying the scan. And if you feel like a nerd you can strace’ing long-running scans directly from htop, or lsof’ing – to get some deep insight.
Depending on targets, scan scope and network, what you observe might be normal. But there might also be some opportunity to improve scan performance. If such a scan takes more than 8 hours, then I would say there is some flaw. Any of my scans with a comparable target size need less than 1 hour, though.
At a quick glance the situation seems to be normal. However, your machine is running at least 2 scan tasks in parallel. I suggest to wait.
Personally I prefer the tree view (toggle with F5).
it does run two tasks in parallel because i’ve set the tasks 1 hour apart thinking they first one will be done before the second starts but i guess i was wrong.
I am thinking maybe some time-out settings need to be tweaked?
This is how it looked about 4 hours ago. now one of the tests is done the other is at 60 %
Your scan-time depends on many parameters like Port-List, Timeouts, e.g. if you scan all UDP ports every host might have “65565 * UDP Timeout / Max-Paralell per Hosts” then your host-alive criteria is very important, a best practice would be a ICMP-Ping Alive, the default might detect running ghosts hosts depending on your network.
If you have for example Proxy-Arp, that will ruin your scan time. So you need to know what Ports, UDP will slow your scan massive down, TCP and ICMP Ping Alive might be faster but if you need to discover services behind a firewall you need other settings.
The default values are a best practice from the security point of view not the speed !
While i do agree that scans might take a long time to finish 21 hours it looks to me a bit too much. I will play around with the settings to see if i can bring it down a bit. Are there any settings for timeout that i can alter?
Do your hosts have firewalls or personal firewalls active ?
Do you run against UDP as ports ?
Do you have ICMP ping and only scan alive hosts ?
All IANA Assigned TCP Ports would be a good start … if any of this questions is a yes, your time could be 21 oder 24h … normally you can scan a bigger network in much less time.
Do your hosts have firewalls or personal firewalls active ? Yes
Do you run against UDP as ports ? No. All IANA TCP is setup
Do you have ICMP ping and only scan alive hosts ? Yes
Hi,
as soon as you have a somehow capable machine, scan time does not depend on the scanner mostly.
What is a capable machine? A system not overwhelmed by the number of processes started. GVM starts a process for every NVT. It does by default up to 4 NVTs per host and 20 hosts in parallel, resulting in up to 80 processes.
If your machine has still enough power to run these processes scan times always depend on the hosts that are scanned and their response times. Especially if (local) firewalls are involved on the scanned hosts which do not reject (recommended) but drop unwanted packets.
I always recommend customers to first scan a single host to get an impression. Scans of a /24 might take anything between 1-2 hours and even days depending on your network environment.
Still based on your environment you could probably increase the number of hosts scanned in parallel and maybe even the number of NVTs per host. This is done in the task configuration. But then you should not run two scans at the same time. It might be too much for your scanner.
Hi. the machine has 8 vCPUs and 16 GB RAM and it is ran off an SSD if that matters.
I have had issues before with more than 4 hosts at the same time and more than 4 NVTs per host where the scan would just hang and never finish so right now i came down to 4 and 4 and it took 20 hours and 56 minutes for a /24 with 125 hosts. The hosts are both physical and virtual and also a mix of Windows, Linux, VMware(also linux), Switches and Cisco Firewalls.
Looking at the time the VMware hypervisors took between 45 minutes and 1 hour each and there is 7 of them.
Hi,
as Lukas and Jan already pointed out, this is not unusual but actually expected if you do have (local) firewalls enabled (especially in dropping mode).