Scan types
Wazuh has three different types of scans.
Baseline: The Vulnerability Detector triggers this scan type the first time you enable the module. The Vulnerability Detector performs a full scan of the operating system and every package installed. It creates a CVE inventory and generates an alert for each vulnerability.
Full scan: The Vulnerability Detector scans every installed package and operating system in this scan type. It runs only when the configured
min_full_scan_interval
expires and when the CVEs database contains new information. As a result, Wazuh generates alerts when there is any update/change in the vulnerability inventory.Partial scan: The Vulnerability Detector only scans new packages. As a result, Wazuh generates alerts when there is any update/change in the CVE inventory.
A few considerations arise from this behavior:
The min_full_scan_interval setting protects the manager performance by not running Full scans too often, especially when the manager receives many updates to the vulnerabilities feeds.
Every vulnerability in the agent vulnerabilities inventory is in three different states:
VALID: Indicates that the vulnerability is still present in the system.
PENDING: A Full scan is in progress, and the vulnerability needs to be confirmed.
OBSOLETE: Indicates that the vulnerability is no longer present in the system. The Vulnerability Detector generates removal alerts when any vulnerability enters this state.