I believe that scan interference is one of the primary issues that many customers and ASV providers don’t understand. This post is to help everyone understand what it is and how to remediate it during an ASV scan.
To ensure reliable scanning, the ASV scan solution must operate without interference from active protection systems. Here, “active” refers to security systems that adjust their behavior based on data from non-attack network traffic patterns. These systems may include intrusion prevention systems (IPS), web application firewalls (WAF), network security controls, quality of service (QoS) devices, and even spam filters that block traffic based on prior SMTP data.
Non-attack traffic refers to legitimate network patterns that do not indicate malformed or malicious activity. In contrast, attack traffic includes malicious patterns or those matching known attack signatures, malware, or packets that exceed the maximum allowed IP packet size.
If an ASV identifies that an active protection system has blocked or filtered a scan, it must follow the procedures outlined in the Resolving Inconclusive Scans section (7.6) of the ASV Program Guide.
Resolving Inconclusive Scans
There are three methods to address an inconclusive scan:
- Temporary Configuration Changes: The customer may need to adjust settings to facilitate the scan.
- Evidence Provision: The customer can provide proof that the scan was not actively blocked.
- Collaboration: The customer and ASV can agree on a method to conduct scans without interference.
Temporary Configuration Changes
To allow the scan to proceed without hindrance, the customer may need to implement temporary configuration changes. For instance, active protection systems like IPS and WAF should be set to permit the ASV scan to complete.
Detecting all vulnerabilities is essential to the defense-in-depth strategy emphasized in the PCI DSS. If a scan cannot identify vulnerabilities on Internet-facing systems due to blocking by an active protection system, those vulnerabilities may remain unaddressed and could be exploited by attackers whose methods do not trigger the protection mechanisms.
Conducting scans during planned maintenance windows enables customers to prepare for scans, implement temporary changes to minimize interference with ASV traffic, and monitor their systems as needed.
These suggested changes are temporary and only necessary for the duration of the ASV scan and for the relevant external-facing IP addresses.
If you would like to know more about the ASV program, you can read my other blog post here.
Note: Temporary configuration changes do not require the scan customer to “whitelist” or grant the ASV a higher level of network access.
The post Scan Interference appeared first on .
