How the returned status of scans works?

Scans are executed, and collect results from the scanned assets contain risk and vulnerability information. Every scan goes through several different statuses from when it is about to start to when it is completed and the result has been collected. 

Scan execution

  • Scanner Appliances
    Private and dedicated to a specific account.
  • External
    Scan nodes that are hosted and managed by Holm Security, shared between all accounts.

Every scan carries a status that reflects what is currently happening with the scan or how it was completed.

Available statuses

  • Stopped
    The scan is not running and is currently being stopped. This is normally triggered by a manual action from a user in the account. 
  • Paused
    The scan has been paused. This can be a manually triggered action by a user or when the vulnerability feed is being applied on the scan node. 
  • Requested
    The scan is about to start and is currently queued.
  • Running
    The scan is being executed and is currently in progress.
  • Finished
    Successfully completed without any errors.
  • Finished with Warning
    The scan was completed but with some additional information, such as Unable to find any alive hosts during scan.
  • Error
    The scan was not completed successfully. Instead, it ran into a severe issue that impacted its ability to execute and/or collect the result of the scan. You should try to. 

Common scenarios 

Why is a scan running at below 10% progress or at 99-100% for a longer period of time? 

Scans contain several phases where the first part below 10% is the discovery phase. This part can take a long period of time as assets, ports and services are still being discovered. 

At the end of a scan, which is more common for Web application scans, there are still targets (e.g URLs) left to be evaluated for vulnerabilities which can impact this phase depending on the response time of URLs and if more URLs are discovered. 

Why did a network scan not find any hosts alive/active? 

The most common explanation for this is that the scan profile used in the scan did not use proper settings to discover hosts. 

Every network that is scanned requires different scan discovery techniques to adapt to how the network is configured. TCP SYN detection is normally the most used detection technique while sometimes you need to utilize SYN+ACK or even ICMP, or with different combinations.

It is recommended to start tuning the scan profile first with a smaller set of hosts scanned, to make sure it is accurately discovered before scanning larger networks. 

Read more about different scan techniques.

Why did my external scan end up in an error without any cause?

External scans are executed on shared scan nodes which are utilized across many Security Center accounts. Holm Security manages these scan nodes to make sure they are operational at all times and optimally balanced to have scans running on these without any issues. 

In rare cases, a scan can end up in an error state due to an internal issue with that particular scan node. It can be due to circumstances like a temporary overload or an infrastructure resource constraint. 

These scenarios should always be edge cases and temporary. If you experience this repeatedly, reach out to our support to escalate the case further. 



Have more questions? Submit a request


Please sign in to leave a comment.