Remediating False Positives Reported from Network Banner Checks in Scans | Best Practices


When conducting a network-based vulnerability scan with no added credentials, the Alert Logic® Threat Manager™ appliance assesses and reports many vulnerabilities based on a host’s service or application network banner. However, this method of vulnerability assessment may allow false positive vulnerabilities to be reported.

Traditionally, network banners have been used by system administrators to easily identify what services and applications are accessible from a network perspective on the host. While network banners are meant to be useful tools for system administrators, they also provide a means of information that can be used to compromise the host if the host has not been properly secured and hardened.

For example, a Linux host uses the secure shell remote login service commonly known as SSH. The Linux host’s SSH service reports a network banner stating the installed version of SSH is SSH-2.0-OpenSSH_5.3. The Threat Manager appliance, using a network banner check tool, assesses the host’s network banner and reports all known vulnerabilities correlated to the detected service’s version. In this situation, false positive vulnerabilities can be reported that are actually addressed from backported patches, because Threat Manager is not able to detect the patches from the network perspective.

To remediate these reported false positive vulnerabilities, Alert Logic recommends using the following solutions. The first solution is strongly recommended, but if this solution is not possible, the second solution can be used.

Solution #1 - Add Credentials to Your Scan Policy

Alert Logic suggests adding credentials to your scan policy. By adding credentials, Threat Manager will authenticate to the target host machine, assess the precise operating system and version, enumerate a list of installed applications and patches, and suppress vulnerabilities addressed from backported patches. This will help decrease the number of false positive vulnerabilities reported, as well as identify and report additional vulnerabilities not capable of detection from a network-only perspective. For more information about adding credentials to scan policies, refer to our Authenticated Scanning documentation. 

Solution #2 - Ignore Specific Vulnerabilities

If you investigate a reported vulnerability from a network banner check and determine that the host has a backported patch installed that addresses the vulnerability, you can set the vulnerability as ‘inactive’ in the Alert Logic console. This will remove the vulnerability from view in the Alert Logic console and prevent the vulnerability from being reported in future scan results. For a procedure on setting a vulnerability as inactive, refer to the Set a False Positive Scan Result to Inactive | How To article. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.