Hello and welcome to this community forum,
if the following has been verified:
- the port is in the used port list and the service is identified by the previous port scan
- no outdated version of the scanner / software stack affected by this is in use
a few guesses:
- the service in question is “overloaded” during a scan and doesn’t respond in an adequate time
- network congestion, IPS/IDS or WAF devices and similar network security equipment can play a role
- the service in question is not a HTTP(s) one
About Nr. 3:
As the name of the VT “SSL/TLS: Report Vulnerable Cipher Suites for HTTPS” (OID: 1.3.6.1.4.1.25623.1.0.108031) which is detecting and reporting systems affected by SWEET32 “remotely” says a reporting is only happening for HTTP(s) services.
To the best of our knowledge there are no real world attacks / scenarios for this flaw against Non-HTTP services so SWEET32 itself is only reported for HTTP(s) services currently / until otherwise proofed.
Note that DES / 3DES ciphers (the ones actually affected by SWEET32) are also generally reported by the following and for all services as well:
- SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)
- SSL/TLS: Report Medium Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.902816)
which can be used to check systems affected by SWEET32 as well.