Vulnerability Management scan schedule
Scheduling
After the device is added to N-central, the device runs a scan for vulnerabilities every hour, on the hour.
Scan results are uploaded to N-central based on changes detected and the maximum interval between uploads.
- When a scan runs, the system stores the result hash and compares it with the previous scan result hash. If the hashes differ, a change has occurred. If the hashes match, no changes have occurred.
- When a scan uploads a 'change detection' result, a 24-hour 'cooldown' period is established. No further scans or result uploads occur for 24 hours, unless the weekly scan is due.
- When the scan uploads a 'no change' result, subsequent scans with 'no change' results are not uploaded for the next 24 hours.
- If no changes are detected for 7 days, the device performs a scan and uploads the results. This means a device will scan and upload results at least once per week.
Manual scans
You can run the vulnerability scan on demand, for an individual device, or in bulk. See Run the Vulnerability scan for instructions.
Result upload handling
Software inventory updates are queued and processed as they arrive in the cloud. The system updates the vulnerability state after processing completes. Processing the queue can take up to 4 hours.
A vulnerability entry remains in the database up to 90 after the last change to its status.
If a software version with a vulnerability is detected and then that software is no longer detected, the vulnerability changes from Unresolved to Resolved.
- If a software version with the same vulnerability is detected again, the vulnerability status changes back to Unresolved.
- Currently, the system does not track the cause of vulnerability status changes. It only tracks the current status of the vulnerablity, Resolved or Unresolved.
If a device misses a scan because it is offline, the scan runs at the next scheduled time once the device is back online.
Related articles