A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.