Web Application Scanning
Web scans can be slow when you have complex web applications. All ports that run HTTP or HTTPS services, including Microsoft HTTP RPC ports, are scanned.
Part of a full scan or a web scan includes a phase that uses resource-intensive techniques that is similar to web crawling or spidering. If the scanner must crawl multiple web pages that have multiple links, the scan can be slow and demanding on your resources. Web scans look for web vulnerabilities, such as determining whether an HTTP server version has vulnerabilities, expired SSL certificates or weak SSL ciphers. The web scan also looks for Open Web Application Security Project (OWASP) vulnerabilities such as SQL injection, cross-site scripting (XSS), security misconfigurations.
If you don't need to scan your web applications, create a custom full scan policy, and exclude the http – CGI scanner scan tool that is on the Tools tab of your scan policy.