2016/sw_scm_files_accessible.nasl looks for files on web servers that should not be available. In its table of targets to search for, it has this entry:
This results in a false positive.
Thanks for your report.
The mentioned VT should already check for a 200 response to avoid false reports on 404 and similar status codes (
check_header:TRUE in the called
http_vuln_check function). Could it be possible that this response is 200 and not 404 as assumed?
Nevertheless from the above the
^default is indeed a little bit too loose so this will be updated to use a line ending anchor
$ to make it more strict.
Those changes should end up in the feed in the next few days.