Overview
SecurityHive’s Vulnerability Management engine supports authenticated scans, which provide deeper visibility into vulnerabilities on systems by logging into them directly. While this method significantly increases the accuracy and coverage of scan results, it may also trigger endpoint security alerts in some environments.
This article explains:
How authenticated scans work
Why they trigger alerts in certain antivirus or endpoint detection & response (EDR) tools
Recommended mitigation steps
Alternative options if filtering by user is not possible
What Is an Authenticated Scan?
An authenticated scan is a type of vulnerability scan where the scanner logs into a system (e.g., via SSH for Linux or WMI/SMB for Windows) using valid credentials. This provides local access to files, processes, and configurations, enabling more accurate vulnerability detection—especially for:
Missing patches
Insecure configurations
Unpatched local software
Privilege escalation paths
These scans rely on protocols and techniques that simulate lateral movement—much like what a legitimate system administrator or attacker would do.
Why Endpoint Security Tools Raise Alerts
Many modern EDR and antivirus solutions use behavioral detection to flag suspicious activity, especially those resembling:
Lateral movement
Credential use or reuse
Tooling similar to Impacket
SecurityHive’s scan engine uses legitimate login credentials to remotely query systems, sometimes with techniques that resemble tools like Impacket. As a result, solutions like Sophos Intercept X, SentinelOne, and Microsoft Defender for Endpoint may raise alerts or even block the scan.
These alerts are false positives in this context—flagging legitimate scanning behavior as malicious.
Recommended Mitigation Steps
To minimize disruption and alert fatigue, we recommend the following:
Create a Dedicated Scan User (Instructions)
Use a system or domain user specifically for vulnerability scans (e.g.,
svc_vulnscan).Limit its privileges to what's required for scanning (e.g., read-only WMI access, local admin for Windows, SSH access for Linux).
Configure Endpoint Security Exclusions
Set up a rule in your EDR or antivirus platform to ignore or whitelist actions performed by the dedicated scan user.
This typically involves adding:
The scan user account to an exclusion list
Specific process paths or hash exclusions
Network-based exclusions for known scanner IPs
⚠️ Note: Not all endpoint protection platforms support user-based or behavior-based exclusions. Some may only allow exclusions by file path or hash.
❗ If Exclusions Are Not Supported
If your endpoint security solution does not support user-based or behavioral exclusions, you have two alternatives:
1. Disable Authenticated Scans
You may opt to run unauthenticated scans, which still detect network-facing vulnerabilities, but lack local insight into installed software, patches, and configurations.
2. Deploy the SecurityHive Vulnerability Agent
Our lightweight agent collects local vulnerability data directly on the endpoint and reports it to the SecurityHive platform. This provides:
Full visibility without triggering lateral movement alerts
Compatibility with most EDR/AV environments
Continuous scanning
Learn more about the SecurityHive Vulnerability Agent here.
Summary
Feature | Authenticated Scan | Vulnerability Agent |
Requires system credentials | ❌ Yes | ✅ No |
Triggers EDR/AV alerts | ⚠️ Possibly | ✅ No |
Supports deep local checks | ✅ Yes | ✅ Yes |
Exclusion workaround possible | ✅ Yes (if supported) | Not needed |