What is Possible Scan Interference?
The Possible Scan Interference issue will be shown when a port that was first detected as open, is later found to be closed. Given the number of possible causes, it can be a particularly difficult issue to diagnose from afar, but there are a few likely culprits that we've listed below.
What could be causing it?
To help to identify the cause of the issue, one of the first things to take a look at is the Raw Scanner Output (RSO). To view this, follow the steps below:
Open the issues page and click on the Possible Scan Interference issue
Click on the 'See Scan Output' button next to the occurrence (shown in pink below)
A pane will appear on the right, scroll down and view the output shown under 'Open Port Re-check' (as seen below)
Take note of the ports that this issue has been detected on
Once you have this information, you can then use this to identify a possible cause and potentially a solution:
Web Application Firewalls – Ports 80/443
If your target is behind a Web Application Firewall (WAF) then you'll likely see
Port 80 and/or
Port 443 in the Raw Scanner Output. If you have a WAF on the target, the scanning activity may be detected as malicious and therefore blocked from reaching the target.
IPS/IDS – All Ports
Intrusion Prevention Systems (IPSs) or Intrusion Detection Systems (IDSs) might detect our scanning activity as an Intrusion and block traffic on all ports.
sshguard are examples of these tools that impact
Port 22 specifically.
In order to fix this, you should add the Intruder Scanner IP Ranges to your allowlist in the IPS/IDS.
Mail Server Protection – Ports 25/110/143
If the Raw Scanner Output for this issue is showing common mail server ports such as those listed above, it's possible that there are some protective mechanisms in place that either prevent high volume traffic, or block certain traffic entirely.
In order to fix this, you should check to see if the mail server has some sort of protection enabled and look to add the Intruder Scanner IP Ranges to the allowlist.
DDoS/DoS Prevention Tools
The high volume traffic sent by the scanner can also trigger DDoS tools, which can run on any open port (so there's nothing specific to look for in the raw scanner output for this one).
In order to prevent this issue, you would need to add the Intruder Scanner IP Ranges to the allowlist on these systems.
Certain Firewall settings such as Geographical IP Filtering/Internet Management Policies can cause our traffic to be blocked or otherwise restricted. This would mean that the scanner may be unable to complete a scan or it may be unable to establish all of the checks as part of the scan.
If this is likely to be the cause, then the first thing to try is adding the Intruder Scanner IP Ranges to your allowlist
If you use Cloudflare for your target, then we recommend allowlisting the scanner in the Firewall and also allowing the scanner to bypass and Web Application Filtering that may be in place.
Due to the fact that Cloudflare provide both WAF and Firewall services, we have a dedicated article on how to do this here.
If your target cannot handle a large amount of traffic, it may have been overwhelmed and stopped responding. In this case, you may want to look at the available resources on the machine or throttle the scan speed which may prevent it being overwhelmed.
Hosting Provider blocking
It is also worth noting that if you use WPEngine, then WPEngine's policies state that "You may not perform any vulnerability or penetration testing of WP Engine’s network or systems, including your own hosted environment, without our prior written approval" so unfortunately the use of vulnerability scanning tools would not be permitted without the written consent they speak of.
How does it affect the scan?
If this issue is flagged on one of your scans this means that we may not have been able to comprehensively check your target for all issues.
For example, if Possible Scan Interference is detected on Port 443, this would mean that we are unable to detect any vulnerabilities that may exist on this port after it was closed, leading to incomplete scan results; the scan of the other ports likely remains unaffected but could be deemed less reliable.