Feature: Manage False Positives
A False Positive is a alert although the reported problem does actually not exist.
The vulnerability scanner is often confronted with indicators on a security problem instead of a clear proof. Reporting about the indiciators might produce a False Positive. Not reporting about it might produce the opposite, a False Negative.
A False Negative is a missing alert where actually a problem does indeed exist.
While False Positives are managable, False Negatives, as a matter of fact, are not. Tolerating False Negatives in order to keep False Postives low therefore means to have no authoritative scan results and vulnerability assessments.
Example for a False Positive: A service running on a target system may identify itself as version "1.3.11" during a remote scan which is known to be a vulnerable version. Without further knowledge of the system, the vulnerability scanner has reason to believe that a vulnerability exists and will include this in its reports. However, a human administrator of the target system may know that this service has already been security-fixed to "1.3.11-1", but still the service identifies itself as its original version.
Marking a result as False Positive
Marking a result as a False Positive means to create a override rule. To do this, simply click on the icon.
The following steps provide an example for marking a result as a False Positive.
A scan of a remote target system has resulted in a security issue classified as "Medium" regarding the SSH service running on the machine:
We happen to know that the target system is running Debian GNU/Linux "Lenny" 5.0 with the latest security updates installed and suspect that this message is a False Positive.
While checking the vendors advisory page we discover that the system does indeed contain OpenSSH in the version 5.1p1-5 — but we also see that the issue has already been fixed. Thus, the vulnerability does not not exist in the service which is running on the target system, meaning we have found a False Positive.
We mark the result as a False Positive by clicking the icon.
In this dialog, we can either use the defaults, which will mark the result for the combination of host and port for all scans in this task as a False Positive or we can generalize the override, for example by applying it to any task which scans this target. In either case it is a good idea to include a descriptive text explaining why this result is considered a False Positive. Once this is done, click the "Create override" button.
The override is applied immediately, the scan result now contains no "Medium" issue any more and the result which we marked as False Positive is not displayed by default. To see it, add issues marked as False Positive to your filter by checking the appropriate box.
Within the report browser any override can be deleted directly (), edited () or reviewed in detail ().
Because some results can be very long there is an indicator icon at the top of the result () that can be clicked to directly jump to the override at the bottom.
Advanced use of overrides
When marking the result as a False Positive, you probably noticed that the "New threat" option is set to "False Positive" by default for new overrides. However, you can set it to an arbitrary threat level instead. This can be useful in situations where the vulnerability scanner classifies an issue as a low or medium threat, but you consider it a high threat because of the circumstances in your network.
Once you have created overrides, you can manage them in the Scan Management section.
Associations and contents can be reviewed via the details dialog.
It is possible to directly jump to the respective NVTs. The NVT details dialog lists all overrides associated with this NVT and allows one to manage the overrides directly.