Scanner Knocking Hosts Offline

Hi everyone,

I’m having a lot of trouble configuring a scan in such a way that it does not knock some of our Windows hosts offline. It’s done it to a mysql db (hosted in Windows), a Windows 10 workstation and one of our Server 2012 R2 hyper-v hosts.

I’ve tried to disable anything that mentions “brute force” or “ddos” in the scan config and limited the amount of NVTs and hosts per scan, but it continues to make some hosts unresponsive requiring us to have to sign in at a console and restart the netadapter or reboot them. Is there an NVT I’m missing that could be causing this issue?

Do you use Full & Fast ? Do you run a IDS/IPS on that Server/Workstation ?

That is the first time we here that.

1 Like

I’m not familiar with Windows to say if this is possible at all, nevertheless i would suggest to look at this from the side of the affected host and debug this problem on that host.

The rationale behind this suggestion is simple, everything what is triggered (especially a host requires a restart) can be triggered by an attacker as well. So instead of “weaken” a scan or trying to solve this from scanner side the affected target host should be fixed instead.

Yes, I’ve cloned the Full & Fast and added a domain account for an authenticated scan. No IDS/IPS on those hosts. Actually, if I scan without authentication, the scan doesn’t negatively impact the hosts this way.

Hi @fernangeles,

I would be very ineterested to know if you found a way round this, or just gave up. I have just hit the same issue. I have been scanning my servers for a couple of years but only recently noticed that authenticated scans cause a WMI process to spin out of control and use 100% of the server CPU effectively causing a DoS.

I reported it but the response I got from Greenbone was to just stop doing authenticated scans. Personally I think that’s unacceptable - that the authenticated WMI scan uses up 100% of a server CPU is not a problem with the server, it’s an issue with the way the scan is written.

This is not a vulnerability, we are deliberately giving the scan authenticated access to the server. If an Antivirus client used 100% of the CPU to run a scan it would be considered faulty, why do they consider that it is acceptable to do this to a server?