We had a couple of network devices report back every IP behind them is live
Is there a way to search for devices WITHOUT open ports so I can target and purge them
Not sure if this would work or not. But you could after doing your scan on one of the hosts where you know all the ports are closed look at QID 82004 UDP Services and 82023 TCP Services verify that the results are empty.
Then you could create a groovy tag to look at the result data for both of these QIDS. If both result sections are basically empty you could then apply the label and that would be the list you could purge.
But verify first. just curious.
I had the same thing happen when scanning across a pair of F5 load balancers. This was before AssetView and so I ran a series of asset searches and manually purged the devices. What I figured out was that by tweaking the scan settings and map settings I was able to keep those "phantom" devices from coming back. The key in my environment was that all devices had ICMP Echo Reply enabled and so I was able to disable all the other discovery methods like traceroute and DNS thereby reducing my "phantom" IPs from showing in my scan and map results.
Retrieving data ...