What is Possible Scan Interference?
The Possible Scan Interference issue will be shown when a port that was first detected as open, is later found to be closed. Given the number of possible causes, it can be a particularly difficult issue to diagnose from afar, but there are a few likely culprits that we've listed below.
What could be causing it?
To help identify the cause of the issue, one of the first things to take a look at is the Raw Scanner Output (RSO). To view this, follow the steps below:
Open the issues page and click on the Possible Scan Interference issue
Click on the 'Scanner Output' button next to the occurrence (shown in pink below)
In cases where the scanner output is longer than can be shown in the portal, an option to download the output will be shown:
A pane will appear on the right, scroll down and view the output shown under 'Open Port Re-check' (as seen below)
Take note of the ports that this issue has been detected on
Once you have this information, you can then use this to identify a possible cause and potentially a solution:
Web Application Firewalls – Ports 80/443
If your target is behind a Web Application Firewall (WAF) then you'll likely see Port 80
and/or Port 443
in the Raw Scanner Output. You'll also see the 'WAF detected notification on the target's detail page:
You can also filter your Targets page using the 'WAF interference detected' filter on the left-hand side to view any affected targets:
If you have a WAF on the target, the scanning activity may be detected as malicious and therefore blocked from reaching the target.
In order to fix this, add the Intruder Scanner IP Ranges to your WAF Bypass list.
If you use Cloudflare, then we have a dedicated article for that.
IPS/IDS – All Ports
Intrusion Prevention Systems (IPSs) or Intrusion Detection Systems (IDSs) might detect our scanning activity as an Intrusion and block traffic on all ports. Fail2Ban
and sshguard
are examples of these tools that impact Port 22
specifically.
In order to fix this, you should add the Intruder Scanner IP Ranges to your allowlist in the IPS/IDS.
Mail Server Protection – Ports 25/110/143
If the Raw Scanner Output for this issue is showing common mail server ports such as those listed above, it's possible that there are some protective mechanisms in place that either prevent high volume traffic, or block certain traffic entirely.
In order to fix this, you should check to see if the mail server has some sort of protection enabled and look to add the Intruder Scanner IP Ranges to the allowlist.
DDoS/DoS Prevention Tools
The high volume traffic sent by the scanner can also trigger DDoS tools, which can run on any open port (so there's nothing specific to look for in the raw scanner output for this one).
In order to prevent this issue, you would need to add the Intruder Scanner IP Ranges to the allowlist on these systems.
Firewall configuration
Certain Firewall settings such as Geographical IP Filtering/Internet Management Policies can cause our traffic to be blocked or otherwise restricted. This would mean that the scanner may be unable to complete a scan or it may be unable to establish all of the checks as part of the scan.
If this is likely to be the cause, then the first thing to try is adding the Intruder Scanner IP Ranges to your allowlist
Cloudflare
If you use Cloudflare for your target, then we recommend allowlisting the scanner in the Firewall and also allowing the scanner to bypass and Web Application Filtering that may be in place.
Due to the fact that Cloudflare provide both WAF and Firewall services, we have a dedicated article on how to do this here.
Targets overwhelmed
If your target cannot handle a large amount of traffic, it may have been overwhelmed and stopped responding. In this case, you may want to look at the available resources on the machine or throttle the scan speed which may prevent it being overwhelmed.
Hosting Provider blocking
It is also worth noting that if you use WPEngine, then WPEngine's policies state that "You may not perform any vulnerability or penetration testing of WP Engine’s network or systems, including your own hosted environment, without our prior written approval" so unfortunately the use of vulnerability scanning tools would not be permitted without the written consent they speak of.
How does it affect the scan?
If this issue is flagged on one of your scans this means that we may not have been able to comprehensively check your target for all issues.
For example, if Possible Scan Interference is detected on Port 443, this would mean that we are unable to detect any vulnerabilities that may exist on this port after it was closed, leading to incomplete scan results; the scan of the other ports likely remains unaffected but could be deemed less reliable.
How to fix it?
As mentioned in each of the sections above, the best option to fix this issue is to add the Intruder Scanner IP Ranges to the allowlist for each of the respective systems. If you use Cloudflare, then please see our dedicated article for how to permit our traffic in Cloudflare.