Security Center

What does the different scan statuses mean?

Scans are performed to gather risk and vulnerability information from the assets being scanned. Each scan progresses through various statuses, starting from the preparation phase until its completion and the collection of results.

Scan execution

  • Scanner Appliances
    Private and dedicated to a specific account.
  • External
    Scan nodes that are hosted and managed by Holm Security, are shared between all accounts.

Available statuses:

Every scan carries a status that reflects what is currently happening with the scan or how it was completed.

  • Stopped
    The scan is not running and is currently being stopped. A manual action from a user in the account typically triggers this. 
  • Paused
    The scan has been paused. This can be a manually triggered action by a user or when the vulnerability feed is being applied on the scan node. Note: Network scans can only be paused for up to 2 hours.
  • Requested
    The scan is about to start and is currently queued.
  • Running
    The scan is being executed and is currently in progress.
  • Finished
    Successfully completed without any errors.
  • Finished with warning
    The scan was completed but with some additional information, such as the inability to find any alive hosts during the scan.
  • Error
    The scan was not completed successfully. Instead, it ran into a severe issue that impacted its ability to execute and/or collect the scan result.

Common scenarios 

Why is a scan running at below 10% progress or at 99-100% for a more extended period of time? 

Scans contain several phases, where the first part below 10% is the discovery phase. This part can take a long period of time as assets, ports and services are still being discovered. 

At the end of a scan, which is more common for Web application scans, there are still targets (e.g. URLs) left to be evaluated for vulnerabilities, which can impact this phase depending on the response time of URLs and if more URLs are discovered. 

Why did a network scan not find any hosts alive/active? 

The most common explanation for this is that the scan profile used in the scan did not use proper settings to discover hosts. 

Every scanned network requires different scan discovery techniques to adapt to how the network is configured. TCP SYN detection is usually the most used detection technique, while sometimes you need to utilize SYN+ACK or even ICMP, or with different combinations.

It is recommended to start tuning the scan profile first with a smaller set of hosts scanned, to make sure it is accurately discovered before scanning larger networks. 

Read more about different scan techniques.

Why did my external scan end up in an error without any cause?

External scans are executed on shared scan nodes utilized across many Security Center accounts. Holm Security manages these scan nodes to ensure they are operational and optimally balanced to run scans without issues. 

In rare cases, a scan can end up in an error state due to an internal issue with that particular scan node. It can be due to circumstances like a temporary overload or an infrastructure resource constraint. 

These scenarios should always be edge cases and temporary. If you experience this repeatedly, contact our support to escalate the case further.