Some vulnerabilities cannot be directly tested without server disruption. For example, denial-of-service vulnerabilities and some buffer overflows can be very damaging to a server. In order to avoid negative effects, Netcraft detects the possible presence of such vulnerabilities via indirect methods.
Fingerprinting the operating system, the software installed, and the configuration of that software gives enough information to determine whether the server may be vulnerable to an exploit. If vulnerable software, or software in a vulnerable configuration, is found, then the vulnerability is reported as a “possible” problem.
Netcraft provides a facility to mark vulnerabilities that are false positives on your report. The administrators of the server can use this to mark a vulnerability as a false positive for the benefit of future reports.
PCI and security seal customers can submit evidence which is thoroughly checked by the development team, ensuring that the correct fixes are indeed in place. Other customers are able to annotate such issues. Vulnerabilities marked as false positives can then be filtered out from the report, allowing you to focus on vulnerabilities you know are applicable.
The presence of vulnerabilities marked as false positives does not affect the latest date on your seal, allowing the customer to display confidence in the lack of serious vulnerabilities.