What is Possible Scan Interference?
The Possible Scan Interference issue will be shown when a port initially detected as open is later found closed. Given the number of possible causes, it can be particularly difficult to diagnose from afar, but there are a few likely culprits we've listed below.
What could be causing it?
To help identify the cause of the issue, one of the first things to look at is the Raw Scanner Output (RSO). To view this, follow the steps below:
Open the Issues Page and click on the Possible Scan Interference issue
Click on the target name shown under the issue title on the left to view the Scanner Output (highlighted in pink)
Take note of the ports shown under the Scanner Output title. In this case, it's ports 443 and 22, but there may be a number of ports listed here.
Once you have this information, you can use it to identify a possible cause and, potentially, a solution.
Web Application Firewalls – Ports 80/443
If your target is behind a Web Application Firewall (WAF), then you'll likely see Port 80 and/or Port 443 in the Raw Scanner Output. You'll also see the 'WAF application firewall (WAF) detected' notification on the target's detail page:
You can also filter your Targets page using the 'WAF interference' filter on the left-hand side to view any affected targets:
If you have a WAF on the target, the scanning activity may be detected as malicious and therefore blocked from reaching the target.
To fix this, add the Intruder Scanner IP Ranges to your WAF allowlist. If you use Cloudflare, then we have a dedicated article for that.
IPS/IDS – All Ports
Intrusion Prevention Systems (IPSs) or Intrusion Detection Systems (IDSs) might detect our scanning activity as an Intrusion and block traffic on all ports. Fail2Ban and sshguard are examples that impact Port 22 specifically.
To fix this, you should add the Intruder Scanner IP Ranges to your allowlist in the IPS/IDS.
Mail Server Protection – Ports 25/110/143
If the Raw Scanner Output for this issue shows common mail server ports, such as those listed above, it's possible that protective mechanisms are in place that either prevent high-volume traffic or block certain traffic entirely.
To fix this, check whether the mail server has any protections enabled, and consider adding the Intruder Scanner IP Ranges to the allowlist.
DDoS/DoS Prevention Tools
The high-volume traffic sent by the scanner can also trigger DDoS tools, which can run on any open port (so there's nothing specific to look for in the raw scanner output for this one).
To prevent this issue, you add the Intruder Scanner IP Ranges to the allowlist on these systems.
Firewall configuration
Certain Firewall settings, such as Geographical IP Filtering/Internet Management Policies, can block or otherwise restrict our traffic. This would mean the scanner may be unable to complete a scan or establish all checks as part of the scan.
If this is likely to be the cause, then the first thing to try is adding the Intruder Scanner IP Ranges to your allowlist
Cloudflare
If you use Cloudflare for your target, then we recommend allowlisting the scanner in the Firewall and also allowing the scanner to bypass any Web Application Filtering that may be in place.
Because Cloudflare provides both WAF and Firewall services, we have a dedicated article on how to do this here.
Targets overwhelmed
If your target cannot handle high traffic, it may become overwhelmed and stop responding. In this case, you may want to look at the available resources on the machine or throttle the scan speed to prevent it from being overwhelmed.
Hosting Provider blocking
It is also worth noting that if you use WPEngine, then WPEngine's policies state that "You may not perform any vulnerability or penetration testing of WP Engine’s network or systems, including your own hosted environment, without our prior written approval," so unfortunately, the use of vulnerability scanning tools would not be permitted without the written consent they speak of.
Before proceeding, we strongly recommend consulting your hosting provider’s policies to confirm that automated vulnerability scanning is permitted.
Example (WP Engine): WPEngine's acceptable use policy states, "You may not perform any vulnerability or penetration testing of WP Engine’s network or systems, including your own hosted environment, without our prior written approval," so unfortunately, the use of vulnerability scanning tools would not be permitted without the written consent they speak of.
How does it affect the scan?
If this issue is flagged in one of your scans, it means we may not have been able to comprehensively check your target for all issues.
For example, if Possible Scan Interference is detected on Port 443, this would mean that we are unable to detect any vulnerabilities that may exist on this port after it was closed, leading to incomplete scan results. The scan of the other ports would likely remain unaffected, but could be deemed less reliable.
How to fix it?
The best option to fix this issue is to add the Intruder Scanner IP Ranges to the allowlist of each respective system. If you use Cloudflare, please see our dedicated article on how to allowlist our IPs in Cloudflare.