Alrighty, our team has released some additional info regarding remote checks and their requirements:
How does the remote check work?
The remote check is triggered to run on the following ports: 80, 443, 8080, 8888. It also triggers on an NMAP fingerprint of HTTP(S). So for the best coverage, enable Nmap service fingerprinting in your scan templates. Otherwise, the remote check will only work on the four ports we listed above. Note that enabling Nmap service fingerprinting may lead to increased scan times.
What limitations are there to the remote check?
Our remote check sends a payload that, if the scan target is vulnerable, makes the scan target attempt to open a connection to the scan engine. This approach relies on bi-directional networking and requires the scan engine and scan target to be able to “talk” to each other. In some cases, such as scanning through a VPN or NAT, that required bi-directional networking is not available. Notably, this is the same caveat that many other remote checks have. Networking is important, and if our check can’t reach the vulnerable target properly because something is interfering with that network communication, the check will logically not be able to deliver “vulnerable” results.
We’re going to continue updating our original blog post with info as well, so you can continue to check there for additional details.