Introduction

Just short of missing a vulnerability, false positives (FPs) are any scanner s worst nightmare. A false positive is the inverse of a vulnerability that slipped past the scanner; the scanner reports a vulnerability when one doesn t exist. This chapter discusses what false positives are, why they are a major issue, categories of false positives, how to deal with false positives (specifically within the Nessus framework), and finally looks at some real-world examples on finding and eradicating false positives.

What Are False Positives?

Per Wikipedia the Free Encyclopedia A false positive is when a test incorrectly reports that it has found what it is looking for (http://en.wikipedia.org/ wiki/False_positive). The encyclopedia correctly goes on to point out that false positives occur in all kinds of detection algorithms.

For a number of different reasons, network-based vulnerability scanners are particularly plagued by this problem. Aside from the often-vague definitions of a technical vulnerability, numerous variables and other external factors can affect the results of the test. As exploiting the actual vulnerability is seldom an option, and as a vulnerability scanner will always err on the side of caution, false positives are relatively common.

This issue is not unique to Nessus and will also affect every other scanner, whether commercial or open source. Indeed, as we will see later in this chapter, Nessus provides a number of checks and balances to ensure that false positives are kept to a minimum.