Usually our scans on unauthenticated targets can take anything from 15 minutes up to 24 hours to complete. For authenticated targets, the scans can sometimes take 48 hours to complete. There are a number of factors that can influence run time, with the most common ones outlined below:
Large number of targets
The biggest factor in any scan is simply how many targets you've added. If one target can take up to a few hours, then hundreds of targets could potentially take hundreds of hours. It's not normally that bad, as we can run many checks in parallel, but as a general rule, the more targets, the longer it takes.
High total number of ports & services
For each discovered service, a number of checks need to be carried out by our scanners. So if you've entered targets with a total of hundreds or thousands of open ports running services exposed to the internet, then our scans will take longer to do all the checks they need to do. If you only need to scan web ports (80 and 443) the 'Default Web Ports Only' advanced scan setting can be set to decrease scan runtimes.
Intrusion prevention systems
In some rare cases, intrusion prevention systems can aim to confuse scanners by making ports which are closed appear to be open, which for the same reason above can cause extended scan times. Some firewalls and modern edge routers even have IDS technology built-in, so it may be worth double checking if your scan is taking a long time. We recommend whitelisting our scanners through any intrusion prevention systems, as these could hamper our efforts to detect open ports and services, and slow down our overall scans.
Very large websites
Our web-application checks (whether they’re being run against authenticated or unauthenticated pages) are some of the most time-consuming elements of our scan. As such, websites with a very large number of webpages linked to the home page may experience longer scan times.
Some customers have unusual networking or server configurations that can lead to long running scans. For example, in one case a reverse proxy was set up to serve a single website from a large number of non-standard ports. This caused our scanner to scan the same website thousands of times. If this is happening on your targets, we'll do our best to let you know about it!
Scans that run on targets with an authentication method configured will take longer than unauthenticated external scans. This is because the scanner is performing an increased number of checks, and each one of these comprehensive checks, on average, take longer than those ran from an unauthenticated perspective.
Some of the same factors as for External Targets apply: Intrusion Prevention Systems (IPSs), Web Application Firewalls (WAFs), large websites and unusual configurations can increase scan run time. In addition, for authenticated targets, it is common for scan run times to be longer than unauthenticated scans especially if there are a large number of parameter URLs, convoluted path structure or nested pages, amongst other factors.
Some internal checks involve scanning certain files for weaknesses; if those files are very large or if the system has a very big filesystem to scan, it can increase scan run times.
The machine is unresponsive
If the machine is switched off; there is a problem with the network connection; or the agent is not installed correctly – the scanner will attempt to connect with agent periodically for 12 hours. (This is designed to catch systems that are switched off or otherwise unavailable, giving the system a window within which to start scanning.) If the scanner doesn't hear back once those 12 hours have elapsed, the target will be marked as unresponsive and the scan will end.
It's worth noting, if you're scanning multiple machines at once and just one of them is unresponsive, it will delay the results for all.