Scanner Knocking Hosts Offline

Hi everyone,

I’m having a lot of trouble configuring a scan in such a way that it does not knock some of our Windows hosts offline. It’s done it to a mysql db (hosted in Windows), a Windows 10 workstation and one of our Server 2012 R2 hyper-v hosts.

I’ve tried to disable anything that mentions “brute force” or “ddos” in the scan config and limited the amount of NVTs and hosts per scan, but it continues to make some hosts unresponsive requiring us to have to sign in at a console and restart the netadapter or reboot them. Is there an NVT I’m missing that could be causing this issue?

Do you use Full & Fast ? Do you run a IDS/IPS on that Server/Workstation ?

That is the first time we here that.

1 Like

I’m not familiar with Windows to say if this is possible at all, nevertheless i would suggest to look at this from the side of the affected host and debug this problem on that host.

The rationale behind this suggestion is simple, everything what is triggered (especially a host requires a restart) can be triggered by an attacker as well. So instead of “weaken” a scan or trying to solve this from scanner side the affected target host should be fixed instead.

Yes, I’ve cloned the Full & Fast and added a domain account for an authenticated scan. No IDS/IPS on those hosts. Actually, if I scan without authentication, the scan doesn’t negatively impact the hosts this way.