Scan does not detect old obsolete DEBIAN versions

I used the GCE version 4.x for several month in the past and it correctly reported an old publically available DEBIAN running an even older Druppal … :cold_sweat:
I used the GCE report to objectively report to management a CRITICAL risk on our infrastructure.
As the GCE 4.x failed to scan, I upgraded to the latest GCE 6.0.3. Scans are running fine but the old DEBIAN 6 / Druppal are not reported anymore. I know for a fact that it is still the there but not visible anymore.
I always run deep scans … (I did not run the ultimate).

Any idea on this ?

Old Debian NVTs with EoL OS are removed from the Community Feed.

Please note:

Dear Greenbone/OpenVAS Users,

over the past 10 years the feed grew to over 50,000 NVTs.
After a full decade it is a good time to clean up the attic.
In terms of NVTs and in terms of quantity this is solely about
authenticated checks for updates of operating systems, also
referred to as “Local Security Checks” (LSCs).

There are thousands of NVTs in the Feed about operating
systems where we issue end-of-live alerts already since years.
I pretty much hope no one in the community still uses
Debian “potato” 2.2 or a Gentoo in the state of year 2005
to just give an example.

There are about 15,000 LSC NVTs from 2010 and before, which we plan
to remove in the coming weeks. We will not remove any remote,
detection or base checks, regardless of their age.

The Greenbone Community Feed (GCF) will become lighter, and some
routines will become faster. However, we will keep those NVTs in the
Greenbone Security Feed (GSF) for the reasons of policy and of
service level agreement. And to be honest, in enterprise networks
we occasionally even detect such old systems kept alive for
industrial processes.

Best regards


Dr. Jan-Oliver Wagner | +49-541-760278-0 |
Greenbone Networks GmbH, Neumarkt 12, 49074 Osnabrück | AG Osnabrück, HR B

1 Like

This begs the question if anyone knows of an archive where they could be downloaded.
The world is full of changes, special cases, and also historians. And of old systems sitting in a corner which still run some trusted and dependable thingy, proven by time to be correct ;-). And what about the learning experience for pentesters and pentesting historians?
Well, I’ll stop here, don’t want to overdo it. You get the idea.

1 Like

For the Community Edition users it makes no sense at all, if you have a EoL OS, upgrade to a supported one.
If you are a corp. commercial customer the GSF still does include these NVTs.

1 Like