Ghost Hosts

Host discovery scans may return results for IP addresses that do not have a live asset. By default, the scanner sends ICMP along with TCP / UDP probes, to several commonly accessible ports, to determine if there is a live asset at an IP address. By using TCP / UDP probes in addition to ICMP, the scanner can detect a live asset that may have ICMP disabled. However, sometimes there may be a device on the network that responds to the TCP probes for IP addresses that do not have live assets which results in the detection of ghost assets.

Solutions:

To prevent the detection of ghost assets you need to modify the scan policy and toggle on "ICMP only asset detection". See "To modify or create a scan policy" in the article for Scan Configuration.
To find ghost hosts that have been previously picked up, the following filter set can be used in Active View.

Asset: Detected with scanner type = internal

Asset: Rating = A

Asset: Threat Rank < 1

Asset: CVSS Rating < 1

Asset: OS = "unknown"

The remaining results are IP addresses with no DNS or NetBios name and no vulnerabilities, aside from the FVM Scanner informational vulnerability. These can be considered non-existent hosts and thus can be excluded from device counts.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
202410020114 | October 2024