Detached is the name of a scan status, which is usually temporary and will update after a short time. If your scan shows as detached the best course of action is usually to leave it for a few minutes (or even hours depending on the number of targets). Continue reading to understand why.
What does "Detached" mean
To understand this issue you need to know a little about the AppCheck Scanner's architecture. There are three main parts to the Scanner:
- The User Interface
- The Scan Coordinator
- The Scan Process (running on one of several Scan Hubs)
When you start a scan through the UI that tells the coordinator you want to run a scan, and the coordinator selects a scan hub, sends the scan config to it and tells it to start the scan (a similar thing happens when you pause or abort a scan too).
When you go to view the status of a scan in the UI the UI gets the scan status from the coordinator, which should be receiving regular updates on the status from the scan hub. If the coordinator hasn't received updates from the scan hub for five minutes or more, it reports that the scan status is "detached”, which is what you then see in the UI.
There can be many reasons for this, eg maybe the scan hub has been shut down, or the scan process has ended unexpectedly, or it can just be that the scan process is busy with a particularly intensive component that has temporarily blocked it from sending updates.
What to do when you see this
This depends whether the scan is running on a public scan hub, or on your own private, internal scan hub.
Public Scan Hubs
This issue rarely occurs on public scan hubs. If you see this status for more than around ten minutes then you should raise a ticket with AppCheck Technical Support via https://appcheck-ng.com/get-help/.
Private Scan Hubs
On private, internal hubs there is also a known bug where the scan process fails to send updates during an early stage of an infrastructure scan, so all internal infrastructure scans show detached during that stage (if the stage lasts longer than five minutes). If you only have a single infrastructure target this stage may be over before you see the "detached" status; but if scanning a large range of IP addresses this could go on for a few hours, or even days/weeks if you scan thousands of hosts at once.
Once the scan moves on to the next stage the scan process resumes sending status updates to the coordinator, and the scan status in the UI updates correctly.
Note that this bug only affects the displayed status of the scan in the UI; it does not slow the scan down or alter its final results.
The stage where this occurs is the automatic passive scanning of discovered web applications, which is an optional stage during infrastructure scanning, designed to give some coverage of web applications that you might not have thought to scan explicitly.
This stage is enabled by default but can be disabled in the scan settings:
Infrastructure Scanner Settings
-> Vulnerability Scanner
-> Advanced Settings
-> Automatically perform a passive web app scan against any discovered web applications.
We recommend disabling this stage when scanning a large range of IP addresses (more than one /24 network, as a very rough rule of thumb). You may wish to abort your current scan, disable this stage, then re-start the scan.
If you see this status even with the above stage disabled, and it persists for more then ten minutes, please raise a ticket with AppCheck Technical Support via https://appcheck-ng.com/get-help/.