Easy way to disable the "intrusive" scans

Is there a quick way to disable all scan types which are considered intrusive? Things like:

  • SQL Injection attacks
  • Default passwords
  • Any kind of brute force attack
  • Any scan that actively exploits a vulnerability

I’m OK with have a lower confidence in the scan results. What I can’t do is run a scan that actively exploits a detected vulnerability just to get a 100% confidence in the scan results.

GVM currently doesn’t provide a way to disable such VTs (these would be the ones in the ACT_ATTACK or higher category) besides searching for them on the file system and de-selecting them one by one in the scan config which probably isn’t a task you want to do.

So the intrusive VT’s are enabled by default? Is there a scan config that has them already disabled? Turning them off individually would be very tedious.

Exactly.

There isn’t such a scan config. Creating one currently would require the following as well:

In addition every day additional VTs would be added to the scan config once published in the feed.

Is there a way to lock a scan config once created such that new VT’s aren’t automatically added to it? The idea would be to create a scan config with all invasive VT’s turned off, but where I could manually add new VT’s monthly or weekly after screening the invasive ones out.

Where is this “ACT_ATTACK” flag?

You can set the Trend of a scan configuration from dynamic to static so that new VTs are not getting automatically added to it. The related documentation about this can be found here:

https://docs.greenbone.net/GSM-Manual/gos-20.08/en/scanning.html#managing-scan-configurations

Each VT file has something like the following defined in it’s .nasl file:

script_category(ACT_ATTACK);

Not sure how / where this flag is stored / handled within GVM though.

1 Like