I’m using the container immauss/openvas to scan Windows and Linux targets.
On the Linux targets, the OS is detected and the scans run, but on Windows targets (with different Windows versions) recently, the OS cannot be detected, this is shown as detection result:
No Best matching OS identified. Please see the VT 'Unknown OS and Service Banner Reporting' (OID: 22.214.171.124.4.1.256126.96.36.199441) for possible ways to identify this OS.
The NVT page shows that the scan is using 4 different methods to get the OS, some of which were apparently working earlier: A few weeks ago, the scans were also working on Windows targets, the OS was detected through multiple methods (SMB Registry Access, SMB Banner, RDP, MSRPC).
We increased the log level to 128 for all, but we didn’t find any suspicious entries in except for the following in openvas.log:
libgvm boreas: DEBUG:2023-01-25 16h23.05 utc:1732: get_host_from_queue: Boreas already finished scanning and we reached the end of the Queue of alive hosts. sd main: DEBUG:2023-01-25 16h23.05 utc:1732: attack_network: got NULL host, stop/finish scan
This happens in the very beginning of the scan (one second after the the “Vulnerability scan ID started for host: IP”). The scan duration is 45 seconds.
In the log, the host is detected as alive.
We can reach the host with smb in the container and see the directories.
In the Report, there are no errors shown and 3 Results: OS Detection Consolidation and Reporting, Traceroute and Hostname Determination Reporting. The first one shows the message from above, the last 2 don’t show any problems.
Updating the feeds also didn’t help.
Any help is greatly appreciated
Edit: This also happens on Linux targets without credentials, previously it could be detected (Detection Result: Concluded from SSH banner).