Scan types

Wazuh has three different types of scans.

  • Baseline: The Vulnerability Detector triggers this scan type the first time you enable the module. The Vulnerability Detector performs a full scan of the operating system and every package installed. It creates a CVE inventory and generates an alert for each vulnerability.

  • Full scan: The Vulnerability Detector scans every installed package and operating system in this scan type. It runs only when the configured min_full_scan_interval expires and when the CVEs database contains new information. As a result, Wazuh generates alerts when there is any update/change in the vulnerability inventory.

  • Partial scan: The Vulnerability Detector only scans new packages. As a result, Wazuh generates alerts when there is any update/change in the CVE inventory.

A few considerations arise from this behavior:

  • The min_full_scan_interval setting protects the manager performance by not running Full scans too often, especially when the manager receives many updates to the vulnerabilities feeds.

  • Every vulnerability in the agent vulnerabilities inventory is in three different states:

    • VALID: Indicates that the vulnerability is still present in the system.

    • PENDING: A Full scan is in progress, and the vulnerability needs to be confirmed.

    • OBSOLETE: Indicates that the vulnerability is no longer present in the system. The Vulnerability Detector generates removal alerts when any vulnerability enters this state.