False Negatives are when the host is vulnerable but a scanner does not report any vulnerability. False Positives are when the host is not vulnerable, yet the scanner reports vulnerabilities on it.
Following are the common reasons for FP/FN occurrence:
1. Due to lack of Authentication and Authorization
2. Scan policy being non-intrusive
Active tests are avoided because exploitation of a vulnerability may cause the service or the server to crash or the vulnerability might not be remotely exploitable. Since scanning policies are based on a non-intrusive approach, the tests which may affect the integrity of a system are avoided.
3. No scan after applied fix
4. Fix requires reboot
5. Fix/Patch applied using non-standard methods
It is possible that method by which the patch or fix was applied was not using a standard method from the original software vendor. Some third-party patch solutions may install the patch in a non-standard fashion. Since the detections are strictly based on the Software Vendor's advisories, scanning solutions only checks for their standard recommended methods.
6. Issues in vulnerability detection logic (Very rare though)
The ones which were obvious I didn't explain them. Share in comments if you ever encountered a false positive or know any other reasons apart from the ones mentioned above.
Happy Learning !!
No comments:
Post a Comment