# OpenVAS

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/openvas

## Quick definition

OpenVAS is a free tool that scans computers and networks to find security holes. It checks for known weaknesses like outdated software or weak passwords. Think of it as a robot that checks all the doors and windows of a building to see which ones are unlocked or broken. IT professionals use it to fix problems before attackers can exploit them.

## Simple meaning

Imagine you are in charge of security for a large apartment building. Your job is to make sure every door is locked, every window is secure, and every alarm system works. But you cannot check every single door and window yourself because the building is huge. So you hire a robot that can walk through the entire building, test every lock, and report back to you with a list of everything that is broken or unlocked. That robot is like OpenVAS.

OpenVAS is a computer program that scans networks, servers, and devices to find security weaknesses. It compares what it finds against a giant database of known problems, like software bugs that hackers can use to break in. When the scan finishes, it gives you a report that says things like "This computer has an old version of a program that has a known security hole" or "This server has a password that is too easy to guess."

For example, if a company uses a web server that has a known vulnerability, OpenVAS will detect it and warn the IT team. The team can then update the software or apply a patch to fix the problem. This is a core part of keeping systems safe because attackers are constantly looking for these weaknesses to break in and steal data or cause damage.

OpenVAS is different from other security tools because it is completely free and open source. This means anyone can use it, modify it, or audit its code to make sure it works properly. It is widely used by security professionals, ethical hackers, and companies that want to test their own defenses without spending a lot of money on commercial products.

## Technical definition

OpenVAS, which stands for Open Vulnerability Assessment System, is a full-featured vulnerability scanner originally forked from the Nessus project. It is maintained by Greenbone Networks and is part of the Greenbone Security Manager (GSM) suite. OpenVAS uses a client-server architecture with several core components: the OpenVAS Scanner (openvassd), the OpenVAS Manager (openvasmd), the OpenVAS Administrator (openvasad), and the Greenbone Security Assistant (GSA), which is the web-based user interface.

At its core, OpenVAS relies on a constantly updated feed of Network Vulnerability Tests (NVTs). These NVTs are scripts, often written in a language called NASL (Nessus Attack Scripting Language), that describe how to check for specific vulnerabilities. The feed is updated daily with new tests, covering thousands of known vulnerabilities including CVEs (Common Vulnerabilities and Exposures), misconfigurations, missing patches, and policy violations.

When a scan is initiated, the OpenVAS Scanner connects to target hosts using various protocols such as TCP, UDP, ICMP, and application-layer protocols like HTTP, SMB, SSH, and SNMP. It performs service discovery to identify which ports are open and which services are running on those ports. Then it matches the detected services against the NVT database and runs the relevant tests. For example, if it finds an SSH server on port 22, it will run tests for known SSH vulnerabilities like weak key exchange algorithms or outdated versions.

OpenVAS supports both authenticated and unauthenticated scans. An unauthenticated scan checks what an external attacker might see without credentials. An authenticated scan uses valid login credentials (like SSH keys or Windows domain accounts) to log into the system and perform a deeper inspection, such as checking for missing patches, weak passwords, or insecure configurations from the inside. This provides a much more thorough assessment.

The scan results are stored in the OpenVAS Manager database, which organizes them by host, port, service, and vulnerability severity. Severity is typically rated using the CVSS (Common Vulnerability Scoring System) scale from 0.0 to 10.0. The results can be exported in various formats including PDF, HTML, CSV, and XML. OpenVAS also supports scheduling scans, sending email alerts, and generating compliance reports for standards like PCI DSS, HIPAA, and ISO 27001.

In real IT environments, OpenVAS is often integrated into larger security workflows. It can be used alongside intrusion detection systems (IDS), security information and event management (SIEM) platforms, and patch management tools. It can also be deployed in a distributed architecture where multiple scanners work together to cover large or segmented networks without overwhelming the network bandwidth.

## Real-life example

Think of OpenVAS like a home inspector who checks a house for problems before you buy it. The inspector walks through every room, looks at the foundation, tests the plumbing, checks the electrical wiring, and looks for signs of pests or mold. They do not just look at the surface; they use special tools to measure moisture, check for gas leaks, and test that smoke detectors work. After the inspection, you get a detailed report that lists every issue, from a cracked window to a faulty furnace, along with a rating of how serious each problem is.

In the same way, OpenVAS scans a computer network like a home inspector checking a house. The "rooms" are the different computers, servers, routers, and other devices on the network. The "testing tools" are the thousands of vulnerability checks built into OpenVAS. Instead of checking for mold, it checks for outdated software, open ports that should be closed, weak passwords, and known security holes. The report it produces is like the home inspector's report: it lists each problem, explains what it is, and rates how dangerous it might be.

For example, if the home inspector finds a crack in the foundation, you know you need to fix it before the house becomes unsafe. If OpenVAS finds a server running an old version of Apache with a known exploit, the IT team knows they need to update it before a hacker uses that exploit to break in.

Just as you would not buy a house without an inspection, a responsible company should not put a new server on the network without scanning it first with a tool like OpenVAS. And just as a home inspector's report helps you prioritize repairs (fix the leaking roof before painting the fence), OpenVAS helps IT teams prioritize security fixes based on severity.

## Why it matters

OpenVAS matters because it is a critical tool for proactive security. In today's IT landscape, new vulnerabilities are discovered every day. Attackers are constantly scanning the internet for systems that have these weaknesses. If a company does not scan its own network regularly, it is essentially leaving its doors unlocked and hoping no one tries the handle. OpenVAS provides a free, powerful way to find those unlocked doors before a malicious actor does.

For IT professionals, using OpenVAS is often required by industry regulations and compliance standards. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants to run quarterly vulnerability scans against their cardholder data environment. Many companies use OpenVAS to meet these requirements without paying for expensive commercial scanners. Similarly, healthcare organizations subject to HIPAA, and government agencies subject to FISMA, can use OpenVAS to demonstrate due diligence in securing their systems.

OpenVAS also matters because it helps build a security culture within an organization. When scans are run regularly, the results create a baseline of security posture. Over time, you can track whether security is improving or getting worse. This data is valuable for reporting to management and for justifying security budgets. For example, if a scan shows that 30% of servers still use outdated SSL protocols, the IT team can show management that this is a risk and needs funding to fix.

Finally, OpenVAS is important for learning. For students studying for IT certifications like CompTIA Security+, CEH, or CISSP, getting hands-on experience with OpenVAS teaches them how vulnerability scanning works in practice. They learn about scanning methods, false positives, severity ratings, and remediation prioritization. This practical knowledge is far more valuable than just reading about theory.

## Why it matters in exams

OpenVAS appears in multiple IT certification exams, though not always by name. More commonly, exams test the concepts of vulnerability scanning, and OpenVAS is the most common open-source tool used to teach those concepts. For the CompTIA Security+ exam (SY0-601 and SY0-701), vulnerability scanning is a core objective under Domain 4: Security Operations. Candidates need to understand the difference between active and passive scanning, unauthenticated vs. authenticated scans, and how to interpret scan results. OpenVAS is often used in lab exercises to demonstrate these concepts.

For the Certified Ethical Hacker (CEH) exam from EC-Council, vulnerability scanning and assessment are major topics. The exam expects candidates to be familiar with various scanning tools, their features, and how to use them during penetration testing. While CEH mentions commercial tools like Nessus, it also covers open-source alternatives such as OpenVAS. Questions may ask about the advantages of using an open-source scanner over a commercial one, or about the structure of NVT feeds.

For the GIAC GPEN (Penetration Tester) and GSEC (Security Essentials) exams, vulnerability scanning is fundamental. These exams test practical knowledge of scanning methodology, including how to schedule scans, manage false positives, and automate scans in a corporate environment. OpenVAS is a common tool used in SANS courses and labs.

For the Cisco CCNA Security and CompTIA CySA+ exams, vulnerability management is a key domain. CySA+ in particular focuses on the analysis of scan results and remediation. Candidates must be able to read a vulnerability scan report, classify findings by severity, and recommend appropriate fixes. OpenVAS is often used in training materials for these certifications.

Exam questions related to OpenVAS typically fall into three categories: tool identification ("Which tool is an open-source vulnerability scanner?"), operational concepts ("What is the difference between an unauthenticated and an authenticated scan?"), and result interpretation ("Given a scan finding with a CVSS score of 9.0, what should you do?"). In the CompTIA Security+ exam, there is often a performance-based question where you must configure a basic scan or interpret a scan output.

## How it appears in exam questions

OpenVAS appears in exam questions in several distinct patterns. The first is the straight definition question. For example: "Which of the following is an open-source vulnerability scanner?" with options like OpenVAS, Wireshark, Nmap, and Metasploit. The correct answer is OpenVAS. These questions test basic knowledge of security tool categories.

The second pattern involves scenario-based questions. For example: "A security analyst has been asked to perform a vulnerability scan of the internal network without logging into any systems. What type of scan should they perform?" The answer is an unauthenticated scan. This requires understanding that OpenVAS can run either way and that the choice depends on the goal.

The third pattern is about interpreting scan results. A question might present a portion of an OpenVAS report showing findings like "SSL Certificate Expiry: Critical" and "OpenSSH version X detected: Medium." The candidate must prioritize fixes or recommend next steps. These questions test the ability to read and act on real-world scan outputs.

The fourth pattern involves configuration and best practices. For example: "An organization runs vulnerability scans every month. The scan results consistently show a high number of false positives. What should the analyst do?" The answer might involve tuning the scan settings or updating the NVT feed to reduce false positives. Questions about scan scheduling (e.g., during off-peak hours) also appear.

In performance-based questions, especially in CompTIA Security+ and CySA+, you might be asked to drag and drop steps in order: 1. Define scan scope, 2. Choose scan type, 3. Run scan, 4. Analyze results, 5. Remediate findings, 6. Rescan. Or you might be given a simulated OpenVAS output and asked to identify the most critical vulnerability.

Some advanced questions, particularly in CEH or GPEN, might ask about the underlying protocol or scripting language. For instance: "Which scripting language is used to write Network Vulnerability Tests in OpenVAS?" The answer is NASL (Nessus Attack Scripting Language). These questions are less common but appear in deeper certification paths.

## Example scenario

Scenario: A small e-commerce company, 'ShopRight', sells handmade crafts online. They have a web server running their online store, a database server storing customer information, and 20 employee laptops connected to the network. The IT manager, Maria, has heard about a new ransomware attack that exploits a specific vulnerability in older versions of Apache web servers. She is worried that ShopRight might be vulnerable.

Maria decides to use OpenVAS to scan her network. She downloads and installs OpenVAS on a dedicated laptop that she connects to the company's internal network. She configures a scan targeting the web server's IP address (192.168.1.10), the database server (192.168.1.20), and the whole range where the employee laptops are (192.168.1.50-192.168.1.70).

She sets the scan type to 'Full and fast' and schedules it to run overnight to avoid slowing down the business during the day. The next morning, Maria opens the Greenbone Security Assistant web interface and looks at the scan report. The report shows several findings. The web server is running Apache 2.4.41, which has a known critical vulnerability (CVE-2022-26377). The database server has port 3306 (MySQL) open to the whole network, which should only be accessible from the web server. Several employee laptops have SMBv1 enabled, which is a common attack vector for ransomware.

Maria now has a prioritized action list. She first updates Apache to the latest version on the web server. Then she configures the firewall to restrict MySQL access to only the web server's IP. Finally, she sends an IT support ticket to disable SMBv1 on all laptops. After implementing these fixes, she runs a follow-up scan to verify that the vulnerabilities are gone. The second scan comes back clean, showing that all critical issues have been addressed.

This scenario mirrors a typical real-world use of OpenVAS. It shows how a single scan can uncover multiple different types of problems, from missing patches to misconfigurations, and how IT teams can use the results to systematically improve security.

## Common mistakes

- **Mistake:** Running an unauthenticated scan and believing it covers everything.
  - Why it is wrong: An unauthenticated scan only sees what an outsider without credentials can see. It cannot check for missing patches, local misconfigurations, or weak passwords that require a login to the system. This leaves many vulnerabilities invisible.
  - Fix: Always run an authenticated scan whenever possible, using valid credentials (like SSH keys or domain accounts) to get a complete picture of the system's security posture.
- **Mistake:** Treating all scan findings as equally important and trying to fix them all at once.
  - Why it is wrong: Vulnerabilities have different severity levels. Fixing a low-severity issue before a critical one wastes time and leaves the most dangerous problems unaddressed. This can lead to a breach.
  - Fix: Prioritize remediation based on CVSS scores. Fix Critical and High severity issues first, then Medium, and then Low. Also consider the context: a critical vulnerability on an exposed external server is more urgent than on an internal-only system.
- **Mistake:** Assuming that a clean scan report means the network is completely secure.
  - Why it is wrong: A vulnerability scanner can only find known vulnerabilities. It cannot detect zero-day exploits, logic flaws in custom applications, or social engineering attacks. Relying solely on scanning gives a false sense of security.
  - Fix: Use vulnerability scanning as one part of a layered security strategy. Combine it with penetration testing, security awareness training, monitoring, and incident response planning.
- **Mistake:** Not updating the NVT feed regularly and using an old set of vulnerability tests.
  - Why it is wrong: New vulnerabilities are discovered daily. If the NVT feed is not updated, the scanner will miss recent threats. An old feed is useless for detecting the latest attacks.
  - Fix: Configure OpenVAS to automatically update the NVT feed at least once a day, or manually run the 'greenbone-nvt-sync' command before each scan.
- **Mistake:** Ignoring false positives instead of investigating them.
  - Why it is wrong: Some scan results are false positives, meaning the scanner incorrectly flagged something as a vulnerability. If you simply ignore all false positives, you might also ignore a real issue that looks similar. Over time, you lose trust in the scanner's reports.
  - Fix: Investigate suspicious findings manually. If confirmed as a false positive, mark it as such in the scanner (if the tool supports it) so future scans do not report it again. Keep a log of false positives for reference.

## Exam trap

{"trap":"In an exam question, you are asked to identify which tool is used for vulnerability scanning. Options include OpenVAS, Nmap, Wireshark, and Metasploit. Many learners choose Nmap because they know it scans networks, but Nmap is primarily a port scanner, not a full vulnerability scanner.","why_learners_choose_it":"Learners confuse network scanning with vulnerability scanning. Nmap is famous for discovering hosts and open ports, and that looks similar to vulnerability scanning. OpenVAS does include port scanning, but its main purpose is testing for known vulnerabilities using a database of checks.","how_to_avoid_it":"Remember the key difference: Nmap tells you 'what is open', while OpenVAS tells you 'what is wrong with what is open'. Also remember that Metasploit is an exploitation framework (for attacking), Wireshark is a packet analyzer (for monitoring traffic), and OpenVAS is a vulnerability scanner (for finding weaknesses)."}

## Commonly confused with

- **OpenVAS vs Nessus:** Nessus is a commercial vulnerability scanner that OpenVAS was originally forked from. OpenVAS is open-source and free, while Nessus has a paid license. Both use similar concepts, but Nessus has more polished reporting and commercial support. OpenVAS uses the same NASL scripting language and similar architecture. (Example: If you need a free scanner for a small business, you might choose OpenVAS. If you have a budget and need official support, you would use Nessus.)
- **OpenVAS vs Nmap:** Nmap is a network mapping tool that discovers hosts and open ports, but it does not test for specific vulnerabilities using a database of signatures. OpenVAS includes port scanning as a first step, but then goes much deeper by running thousands of vulnerability checks. Nmap can be used as part of a vulnerability assessment, but it is not a vulnerability scanner by itself. (Example: Using only Nmap is like knowing which doors and windows a house has, but never checking if they are locked. OpenVAS is like checking every door and window to see which ones are actually unlocked or broken.)
- **OpenVAS vs Metasploit:** Metasploit is an exploitation framework used to actually attack a vulnerability, while OpenVAS is used to find it. You would use OpenVAS first to discover a weakness, then Metasploit to test if the weakness can be exploited. The two tools are complementary, not the same. (Example: OpenVAS is like a doctor diagnosing an illness. Metasploit is like giving the medicine (the exploit) to see if the patient really has that illness. You do not give medicine without a diagnosis first.)

## Step-by-step breakdown

1. **Installation and Setup** — Download and install OpenVAS (often via the Greenbone Security Manager or from Linux repositories). The installation sets up the scanner, manager, and web interface. You need to initialize the database and sync the NVT feed for the first time, which downloads thousands of vulnerability tests.
2. **Target Definition** — Define the targets you want to scan. This can be a single IP address, a range (e.g., 192.168.1.1-192.168.1.254), or a subnet using CIDR notation (e.g., 192.168.1.0/24). You can also define groups of targets for larger networks. Optionally, add credentials for authenticated scanning.
3. **Scan Configuration** — Choose a scan configuration. OpenVAS comes with predefined profiles like 'Full and fast', 'Discovery', 'System Discovery', and 'Base'. You can also create custom configs. Each config determines which NVTs are run. For a thorough assessment, use 'Full and fast' or a custom config that includes both discovery and vulnerability checks.
4. **Running the Scan** — Start the scan from the web interface or via command line. The scanner performs host discovery, port scanning, service identification, and then runs relevant NVTs. The scan may take minutes or hours depending on the number of targets and the complexity of tests. You can monitor progress in the web interface.
5. **Analyzing Results** — Once the scan completes, the results are stored in the manager database. You access them through the Greenbone Security Assistant. The results are grouped by host, each showing open ports, detected services, and vulnerability findings with CVSS scores. You can filter by severity, host, or vulnerability type.
6. **Remediation and Verification** — Based on the report, prioritize and fix the identified vulnerabilities. For example, patch software, change configurations, or close unnecessary ports. After applying fixes, run a follow-up scan targeting the same hosts to verify that the vulnerabilities have been resolved. This confirms that your remediation was effective.

## Practical mini-lesson

OpenVAS in practice requires understanding how to balance thoroughness with operational impact. When you first install OpenVAS, you must sync the NVT feed using 'greenbone-nvt-sync' or via the Greenbone Security Assistant. This feed is the heart of the scanner without it, OpenVAS cannot detect any vulnerabilities. The feed is updated daily, so regular synchronization is essential for maintaining detection of the latest threats.

In a corporate environment, scanning must be carefully scheduled to avoid disrupting production systems. A full and fast scan can generate significant network traffic and may cause older devices to crash or slow down. It is best practice to run scans during maintenance windows. For sensitive systems like industrial control systems (ICS) or medical devices, use more conservative scan profiles that avoid aggressive checks.

Authenticated scanning is where OpenVAS truly shines. Providing credentials (SSH keys for Linux, domain credentials for Windows) allows the scanner to log into the system and check for local issues like weak password policies, missing OS patches, or insecure registry settings. However, credentials must be stored and handled securely. Never store plain-text passwords in the configuration; use SSH keys or credential vaults where possible.

False positives are inevitable. A vulnerability may be reported as present but it is actually mitigated by a compensating control (e.g., a firewall blocking the vulnerable port). The professional approach is to triage every finding, investigate suspicious ones, and permanently mark verified false positives as 'accepted risk' or 'false positive' in the tool. This reduces noise in future scans.

What can go wrong? A common mistake is running an unauthenticated scan against a server that requires authentication for patch compliance, then incorrectly concluding that the server is fully patched. Another issue is network congestion: scanning a large subnet during business hours can cause network slowdowns and trigger intrusion detection alerts. Also, keep in mind that OpenVAS can crash devices that are sensitive to port scans, like old routers or embedded systems. Always test on a small sample first.

Professionals often automate OpenVAS scans using scripts or cron jobs, and integrate the results into a SIEM or ticketing system. For example, you can export scan results in XML format and ingest them into Splunk for correlation with other security events. This transforms OpenVAS from a point tool into a continuous vulnerability management platform.

## Memory tip

Think of OpenVAS as 'Open Vulnerability Assessment Scanner', it opens your eyes to security holes that are open to attack.

## FAQ

**Is OpenVAS completely free to use?**

Yes, OpenVAS is free and open-source under the GNU General Public License (GPL). There are no licensing fees. However, some advanced features or support contracts from Greenbone Networks may require payment.

**Can OpenVAS scan my home network?**

Yes, you can install OpenVAS on a computer on your home network and scan your devices. It is a great way to learn about security and check your router, smart home devices, and computers for vulnerabilities.

**What is the difference between OpenVAS and a vulnerability scanner like Qualys?**

OpenVAS is open-source and self-hosted, meaning you manage the infrastructure yourself. Qualys is a cloud-based commercial service that offers more features, easier scaling, and professional support, but at a cost.

**Does OpenVAS work on Windows?**

OpenVAS is designed primarily for Linux systems. It can run on Windows through virtualization or a Docker container. The official Greenbone Security Manager is based on Linux.

**How often should I update the NVT feed?**

You should update the NVT feed at least daily to ensure you have the latest vulnerability tests. Some organizations set up automatic updates via cron job to run every few hours.

**Can OpenVAS detect all vulnerabilities?**

No, OpenVAS can only detect vulnerabilities that have a corresponding NVT test in its database. It cannot find zero-day vulnerabilities, logic flaws, or vulnerabilities that are highly specific to custom applications without a known signature.

## Summary

OpenVAS is a powerful, free, open-source vulnerability scanner that is important for the security toolkit of IT professionals. It helps identify known vulnerabilities, misconfigurations, and policy violations across networks, servers, and applications. By providing detailed reports with severity ratings, it enables teams to prioritize and fix security weaknesses before attackers can exploit them.

Understanding OpenVAS is important for several reasons. First, it is widely used in real-world IT environments, especially by small and medium businesses that cannot afford commercial scanners. Second, it is a common teaching tool in IT certification courses because it clearly demonstrates the concepts of vulnerability scanning, authenticated vs. unauthenticated scanning, and CVSS scoring. Third, many compliance frameworks require regular vulnerability scanning, and OpenVAS offers a cost-effective way to meet those requirements.

For exam success, remember the key distinctions: OpenVAS is a vulnerability scanner (not a port scanner, not an exploitation tool). Know the difference between authenticated and unauthenticated scans. Understand that the NVT feed must be kept current. Be able to interpret scan results and prioritize fixes based on severity. Finally, remember that a clean scan does not mean a system is completely secure, only that no known vulnerabilities were found.

Whether you are studying for CompTIA Security+, CEH, CySA+, or just looking to improve your practical security skills, mastering OpenVAS will give you a strong foundation in vulnerability management.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/openvas
