When I try to scan Windows 10 and Windows 11 users get notifications (three times in total per machine) about a blocked VirTool, and when I checked the logs I noticed that there is an issue WMI query. is there a way to understand how Greenbone performs a scan on a Windows machine:
I have the latest version of each component installed on Ubuntu 22.04
Hi welcome to the GB community forum. Can you explain what you want to understand exactly? 
I want to understand how Greenbone initiates a scan, I understand it’s via SMB and it seems to try to execute a WMI query on a remote machine after trying to connect to it, yet what I don’t understand is if Greenbone gained access to the remote machine then what is trying to achieve by simulating VirTool (assuming the report from Windows defender APT is accurate) and if there is any recommendation enhance Windows scan without having this kind of warning.
SMB is only used for so called local security checks on windows. It also requires setting up credentials for the target.
We are not simulating some virtool. It’s just detected wrongly. This always can happen with virus detection tools.