For Patrowl, the liveness of an asset is determined regarding an attacker perspective and answering the simple question : “Am I able to attack something on that asset?”, then :
An asset is considered "up" if the host is responding to ping (ICMP), or at least one TCP port is detected as accessible by our probes. This could include a web service (HTTPS/443, 80), an administration service (SSH/22), or others (e.g., FTP/21). As long as a port is open, a service is accessible and potentially exploitable externally by an attacker and will therefore be classified as "up" by our systems.
🗒️ Note that a service “Filtered” (meaning that our probes received a responses from a filtering devices) will also result in the asset considered as “up” . The services is not reachable by our probes, but a service is running behind.
An asset is considered "down" when no ports or services are accessible from our probes. All services are unreachable externally, making it impossible for an attacker to access them remotely at that moment. Such an asset is classified as "down" by our systems.