2 Read Before Use

The Greenbone Security Manager (GSM) includes a full-featured vulnerability scanner. While the vulnerability scanner has been designed to minimize any adverse effects on the network environment, it still needs to interact and communicate with the target systems being analyzed during a scan.


It is the fundamental task of the GSM to find and identify otherwise undetected vulnerabilities. To a certain extent the scanner has to behave like a real attacker would.

While the default and recommended settings reduce the impact of the vulnerability scanner on the environment to a minimum, unwanted side effects may still occur. By using the scanner settings the side effects can be controlled and refined.


Be aware of the following general side effects:

  • Log and alert messages may show up on the target systems.
  • Log and alert messages may show up on network devices, monitoring solutions, firewalls and intrusion detection and prevention systems.
  • Firewall rules and other intrusion prevention measures may be triggered.
  • Scans may increase latency on the target and/or the scanned network. In extreme cases, this may result in situations similar to a denial of service (DoS) attack.
  • Scans may trigger bugs in fragile or insecure applications resulting in faults or crashes.
  • Embedded systems and elements of operational technology with weak network stacks are especially subject to possible crashes or even broken devices.
  • Logins (e.g., via SSH or FTP) are done against the target systems for banner-grabbing purposes.
  • Scans may result in user accounts being locked due to the testing of default user name/password combinations.

Since the behavior described above is expected, desired, or even required for vulnerability scanning, the scanner’s IP address(es) should be added to the allow list of the affected system/service. Information on creating such an allow list is available from the documentation or support of the respective system/service.

Remember that triggering faults, crashes or locking with default settings means that an attacker can do the very same at unplanned times and to an unplanned extent. Finding out about it earlier than the attacker is the key to resilience.

While the side effects are very rare when using the default and recommended settings, the vulnerability scanner allows the configuration of invasive behavior and thus will increase the probability of the effects listed above.


Be aware of these facts and verify the required authorization to execute scans before using the GSM to scan the target systems.