OpenVAS Quality of Detection (QoD)
What is Quality of Detection (QoD) in OpenVAS scans?
For OpenVAS, Quality of Detection (QoD) describes the reliability of a vulnerability detection on a scale from 100% (most confident) to 0% (least confident).
Why is QoD Useful?
QoD is useful for filtering false positive vulnerabilities. A lower QoD test is more likely to create false positives. Generally, results with a QoD of 70% or higher are reliable, and those below are more likely to be false positives.
What QoD filtering should I use?
There is no setting that is best for everyone. The right minimum QoD threshold will depend on the systems being scanned and your tolerance for false positives vs complete results. A common cause of false positives is open source software backporting security fixes to older package version numbers. If you are running Linux distributions with many backported fixes, you may see a higher rate of false positives from low QoD tests.
The default QoD is 70%. However, it can be helpful to run a scan at 0%, which will show you all possible findings. You can then review those finding to determine what level is best for your use case. Note: after you lower your OpenVAS QoD setting in HostedScan, you will need to rescan with OpenVAS to discover all of the lower QoD findings.
How can I improve my detections?
Many vulnerability detections, like WordPress and WordPress plugin vulnerabilities are detected at a lower threshold of QoD. Lowering QoD will create more detection results but at the cost of more false positives. In the case of a WordPress site, a lower QoD, for example, 30%, may be appropriate.
What are the available QoD levels?
| QoD Level | QoD Type | Description |
|---|---|---|
| 100% | exploit | The detection happened via an exploit and is therefore fully verified. |
| 99% | remote_vul | Remote active checks (code execution, traversal attack, SQL injection etc.) in which the response clearly shows the presence of the vulnerability. |
| 98% | remote_app | Remote active checks (code execution, traversal attack, SQL injection etc.) in which the response clearly shows the presence of the vulnerable application. |
| 97% | package | Authenticated package-based checks for Linux(oid) systems. |
| 97% | registry | Authenticated registry based checks for Microsoft Windows systems. |
| 95% | remote_active | Remote active checks (code execution, traversal attack, SQL injection etc.) in which the response shows the likely presence of the vulnerable application or of the vulnerability. “Likely” means that only rare circumstances are possible in which the detection would be wrong. |
| 80% | remote_banner | Remote banner checks of applications that offer patch level in version. Many proprietary products do so. |
| 80% | executable_version | Authenticated executable version checks for Linux(oid) or Microsoft Windows systems where applications offer patch level in version. |
| 75% | If results without any QoD information are processed (e.g., when migrating data from a legacy system to a currently supported system), they are assigned this value. | |
| 70% | remote_analysis | Remote checks that do some analysis but which are not always fully reliable. |
| 50% | remote_probe | Remote checks in which intermediate systems such as firewalls may pretend correct detection so that it is actually not clear whether the application itself answered. For example, this can happen for non-TLS connections. |
| 30% | remote_banner_unreliable | Remote banner checks of applications that do not offer patch level in version identification. For example, this is the case for many open source products due to backport patches. |
| 30% | executable_version_unreliable | Authenticated executable version checks for Linux(oid) systems where applications do not offer patch level in version identification. |
| 1% | general_note | General note on potential vulnerability without finding any present application. |
Where can I change the QoD for my HostedScan account?
If you already have an account, you can change the QoD on your account settings page.
If you would like to try out OpenVAS, with different QoD settings, you can start a free trial below. By default, we run the OpenVAS scanner with a 70% QoD.
OpenVAS Online Scan
Safeguard your business through continous, up to date, vulnerability scanning.
Where can I learn more on OpenVAS QoD?
For detailed information about the different QoD levels, Greenbone documentation provides additional breakdowns of the levels and the type of detection they map to. See their OpenVAS/GVM documentation.
