GVM is giving false positive results on backported software installed on Ubuntu different versions


I don’t know if there is anyone with the same problem that I currently have.

After performed scans with GVM - GSA V9.0.1 on different Ubuntu machines, I have detected that these machines are running Ubuntu 16.04 version and these machines containing vulnerability for OpenSSH service (OpenSSH Multiple Vulnerabilities Jan17 (Linux)), and it shows in the report that installed version is 7.2p2. Also, it shows that it is possible to put a vendor fix, so It leads me to verify if this vulnerability has a security patch and what is the recommended version. Simply I am going to the OS vendor web page and checking if this security vulnerability has a security patch and Yes it has, for my example, there is the proof - https://ubuntu.com/security/notices/USN-3538-1

My question is, how I can get rid of these false-positive results? My understanding is that GVM is checking only OS version to detect vulnerabilities, not an OS vendor backported security patches on services like OpenSSH.

Please note that the mentioned VT has a QoD (Quality of Detection) of remote_banner_unreliable (30 %) which means that it is expected to be prone to false positives against Linux systems. That is also the reason why results of VTs having a QoD of < 70% like the mentioned one isn’t showing up in reports by default as long as the default filter is used.

See here for some more background info on this topic:


Thanks for your information, I found it useful, but I was hoping that I can apply the filter to such kind of false positives even if I use QoD < 0%, so I can review all results found on the host. My idea would be to un-filter vulnerabilities that are for example Ubuntu v16.04 and if that OS contains for example patched software on it. Results could show me or even vulnerabilities could disappear from the list of Results. In other cases It takes a lot of time to search for Ubuntu security patches on their web page for specific software and also it takes time to verify on servers if that patch has been applied.


Mean while, when I am searching for solution, found one more example.
One I have applied 70% QoD I don’t see any other vulnerabilities for example.

I’m really interested in this topic, as I’m in your exact positon.
On one hand i really want to get rid of the false positives due to backports, on the other I fear that an high QoD (50% or more) wouldn’t show me real vulnerabilites on *nix systems and this would be so much worse. Have you managed to solve this issue?
Thanks in advance

Hi, no actualy i am stuck with this and other problems with this free version of gvm hosted on kali linux.
I am still waiting for some good aswers;)