Feature: Manage False Positives Content Marking a result as False Positive Advanced use of overrides Override management Introduction A False Positive is a alert although the reported problem does actually not exist. Copyright 2009-2015 Greenbone Networks GmbH Origin and current version of this document: www.greenbone.net/learningcenter/false_positives.html The vulnerability scanner is often confronted with indicators on a security problem instead of a clear proof. Reporting about the indiciators might produce a False Positive. Not reporting about it might produce the opposite, a False Negative. A False Negative is a missing alert where actually a problem does indeed exist. While False Positives are managable, False Negatives, as a matter of fact, are not. Tolerating False Negatives in order to keep False Postives low therefore means to have no authoritative scan results and vulnerability assessments. Example for a False Positive: A service running on a target system may identify itself as version "1.3.11" during a remote scan which is known to be a vulnerable version. Without further knowledge of the system, the vulnerability scanner has reason to believe that a vulnerability exists and will include this in its reports. However, a human administrator of the target system may know that this service has already been security-fixed to "1.3.11-1", but still the service identifies itself as its original version. Marking a result as False Positive Marking a result as a False Positive means to create a override rule. To do this, simply click on the icon. The following steps provide an example for marking a result as a False Positive. A scan of a remote target system has resulted in a security issue classified as "Medium" regarding the SSH service running on the machine: Feature: Manage False Positives 10/13/2015 1/8
We happen to know that the target system is running Debian GNU/Linux "Lenny" 5.0 with the latest security updates installed and suspect that this message is a False Positive. While checking the vendors advisory page we discover that the system does indeed contain OpenSSH in the version 5.1p1-5 but we also see that the issue has already been fixed. Thus, the vulnerability does not not exist in the service which is running on the target system, meaning we have found a False Positive. We mark the result as a False Positive by clicking the icon. Feature: Manage False Positives 10/13/2015 2/8
In this dialog, we can either use the defaults, which will mark the result for the combination of host and port for all scans in this task as a False Positive or we can generalize the override, for example by applying it to any task which scans this target. In either case it is a good idea to include a descriptive text explaining why this result is considered a False Positive. Once this is done, click the "Create override" button. Feature: Manage False Positives 10/13/2015 3/8
The override is applied immediately, the scan result now contains no "Medium" issue any more and the result which we marked as False Positive is not displayed by default. To see it, add issues marked as False Positive to your filter by checking the appropriate box. Feature: Manage False Positives 10/13/2015 4/8
Within the report browser any override can be deleted directly ( ), edited ( ) or reviewed in detail ( ). Because some results can be very long there is an indicator icon at the top of the result ( to directly jump to the override at the bottom. ) that can be clicked Feature: Manage False Positives 10/13/2015 5/8
Advanced use of overrides When marking the result as a False Positive, you probably noticed that the "New threat" option is set to "False Positive" by default for new overrides. However, you can set it to an arbitrary threat level instead. This can be useful in situations where the vulnerability scanner classifies an issue as a low or medium threat, but you consider it a high threat because of the circumstances in your network. Override management Once you have created overrides, you can manage them in the Scan Management section. Associations and contents can be reviewed via the details dialog. Feature: Manage False Positives 10/13/2015 6/8
It is possible to directly jump to the respective NVTs. The NVT details dialog lists all overrides associated with this NVT and allows one to manage the overrides directly. Feature: Manage False Positives 10/13/2015 7/8
Feature: Manage False Positives 10/13/2015 8/8