False positives in OpenVAS

The NVT is doing a check for both CVEs remotely are not showing a vulnerability against a Linux system by default. If they are showing up I can think of two possibilities:

  1. You have configured your filters to show results of NVTs with a low "Quality of Detection (QoD)". See [1] for a description of the QoD and [2] for the "default" value of 70 in your filter which you might have set to a lower value.

  2. For some reason, the system was detected as Windows and thus a higher QoD is assumed.

I guess the case 1. would be the first thing to check as the "a great deal of false positives" could be a good indicator for this.

While 2. is very unlikely you still could check the "Log" output of the NVT called "OS Detection Consolidation and Reporting" with the OID 1.3.6.1.4.1.25623.1.0.105937 what OS was detected at that host.

Disclaimer: Answer of an NVT Developer @ Greenbone


Being able to detect exact installed software versions on a given system, authenticated vulnerability scans are per definition better than unauthenticated scans.

Also, with the help of authenticated scans it is possible to detect configuration weaknesses which otherwise would have gone unnoticed.

I only recommend running unauthenticated scans if you want to have a representative test of what an adversary would be able to detect if they would scan your system (in a black box scenario). The other reason would be when you have a very large network and a time constraint that does not allow you for doing full authenticated scans.