Some vulnerabilities cannot be directly tested without disrupting your server. Denial of service attacks fall into this category, obviously: running the vulnerability would be a denial of service. Also buffer overflow attacks are too dangerous to run against a live server: exploiting a live system could put sensitive data at risk; and such attacks are very sensitive to the exact software and configuration present on the system, so a failed exploit attempt could easily crash the server. Therefore Netcraft avoids testing such vulnerabilities directly.

Netcraft identifies such vulnerabilities via indirect methods. Fingerprinting the operating system, the software installed, and the configuration of that software gives enough information to determine whether the server may be vulnerable to an exploit. If vulnerable software, or software in a vulnerable configuration, is found, then the vulnerability is reported as a “possible” problem. It is also possible, however, that you are using a product that was vulnerable, but that you have applied a patch or configuration change that cannot be detected by our scan. In this case the vulnerability will continue to be reported even though you are not vulnerable, because the patch cannot be tested. This is called a false positive.

Netcraft provides a facility to mark vulnerabilities that are false positives on your report. The administrators of the server can use this to mark a vulnerability as a false positive for the benefit of future reports. On future reports, a mark will appear in the “false positive” column for that vulnerability, and by hovering the mouse over the mark, the viewer can see when it was investigated and by whom.

Marking vulnerabilities as false positives is also valuable if you wish to use the Netcraft security seal. Once a vulnerability is marked as a false positive, it no longer counts against your security seal - so the server can once again get a valid seal displayed.