Why are scans reporting 'UDP scan is not reliable on this machine'?

Answer

UDP is a connection-less protocol. When a UDP packet is sent to a port that is OPEN, the receiving computer does not send a packet back confirming the receipt of the packet, as is standard with the TCP protocol. If the target port is NOT OPEN then the target machine sends back an ICMP Destination Port Unreachable packet. Therefore, the standard way UDP scanners determine a port is OPEN, is the failure to receive the ICMP Destination Port Unreachable packet. GFI LanGuard works in the same way. 

That means that anything that interferes with the ICMP packets would cause a scanner to think all ports are open and produce false positives. Therefore, before beginning its UDP scan, GFI LanGuard tries to determine whether UDP scanning is reliable on the machine. To accomplish this LanGuard scans 25 randomly chosen ports in the range of 30000 – 65035. Since it is statistically unlikely that more than one of these ports is open, LanGuard should receive ICMP packets back on most of these attempts. If it does not, it declares that UDP port scanning is unreliable and reports the error in the scan result saying 'UDP scan is not reliable on this machine'. This can happen for the following reasons:

1. The ICMP packages are blocked by a firewall between the scanned machine and LanGuard.
2. An IDS or other security system prevents the client to send an ICMP response.
3. The ICMP packages do not arrive faster than our UDP timeout. In these cases the UDP timeout can be changed from the Scanning Profiles Editor > Scanner Options > UDP port scan query timeout.
4. A frequent cause of unreliable UDP port scanning is also the Windows Vista and Windows 7 TCP/IP stack, which does not send all of the needed ICMP Destination Port Unreachable packets back to the application (this is a security measure in the Windows operating system). In this case, only an Agent can perform a reliable scan of open UDP ports.