OpenVAS/GVM MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: May 27, 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
OpenVAS & GVM MCQ practice questions are essential for preparing for competitive exams, certifications (CompTIA CySA+, CEH), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering vulnerability scanner fundamentals, GVM architecture, and advanced scripting.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational terminology and core definitions), Concepts (covering intermediate protocols, threat mechanics, and architectural trade-offs), and Advanced (covering scenario-based analysis, advanced compliance, and enterprise architectures). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA CySA+ or university exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across gvmd, gsad, ospd-openvas, NASL scripts, and custom GMP API automation.
Contents
- 1.Basics (20 Questions)OpenVAS history Β· NVTs Β· CVSS Β· false positives/negatives Β· scan types Β· feed management
- 2.Concepts (20 Questions)GVM stack Β· gvmd Β· gsad Β· ospd-openvas Β· Redis Β· GMP Β· QoD Β· scan configs Β· distributed architecture
- 3.Advanced (20 Questions)NASL scripting Β· gvm-tools Β· python-gvm Β· air-gapped feeds Β· mTLS Β· SCAP/OVAL/CPE Β· PostgreSQL tuning
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
OpenVAS & GVM β Basics
1What does the acronym OpenVAS stand for?
CorrectC: Open Vulnerability Assessment Scanner (or System)
OpenVAS stands for Open Vulnerability Assessment Scanner (also called Open Vulnerability Assessment System). It is a free, open-source framework for scanning networks and hosts to identify security vulnerabilities. The name reflects its mission: open-source tooling for vulnerability assessment at scale.
IncorrectC: Open Vulnerability Assessment Scanner (or System)
OpenVAS stands for Open Vulnerability Assessment Scanner (also called Open Vulnerability Assessment System). It is a free, open-source framework for scanning networks and hosts to identify security vulnerabilities. The name reflects its mission: open-source tooling for vulnerability assessment at scale.
2OpenVAS was originally forked from which well-known vulnerability scanner after it changed to a proprietary license in 2005?
CorrectA: Nessus
OpenVAS was forked from Nessus after Tenable Network Security changed Nessus from an open-source tool to a proprietary, closed-source product in 2005. The community fork retained the open-source codebase, eventually evolving into OpenVAS and the broader Greenbone Vulnerability Management (GVM) framework.
IncorrectA: Nessus
OpenVAS was forked from Nessus after Tenable Network Security changed Nessus from an open-source tool to a proprietary, closed-source product in 2005. The community fork retained the open-source codebase, eventually evolving into OpenVAS and the broader Greenbone Vulnerability Management (GVM) framework.
3Which company is the primary developer and commercial sponsor behind the modern OpenVAS and GVM architecture?
CorrectB: Greenbone Networks
Greenbone Networks GmbH (based in OsnabrΓΌck, Germany) is the primary developer and commercial sponsor of OpenVAS and the GVM architecture. Greenbone maintains both the free community edition (Greenbone Community Feed) and the commercial Greenbone Security Manager appliances and Greenbone Security Feed.
IncorrectB: Greenbone Networks
Greenbone Networks GmbH (based in OsnabrΓΌck, Germany) is the primary developer and commercial sponsor of OpenVAS and the GVM architecture. Greenbone maintains both the free community edition (Greenbone Community Feed) and the commercial Greenbone Security Manager appliances and Greenbone Security Feed.
4What is the primary function of OpenVAS?
CorrectC: To discover, assess, and report on security vulnerabilities within a network
OpenVAS is a vulnerability scanner: its primary function is to discover hosts, enumerate services, and assess them against a database of known vulnerabilities (NVTs), then produce detailed reports on findings. It does not patch systems or block attacks in real-time β those functions belong to patch management systems and IPS/firewall tools respectively.
IncorrectC: To discover, assess, and report on security vulnerabilities within a network
OpenVAS is a vulnerability scanner: its primary function is to discover hosts, enumerate services, and assess them against a database of known vulnerabilities (NVTs), then produce detailed reports on findings. It does not patch systems or block attacks in real-time β those functions belong to patch management systems and IPS/firewall tools respectively.
5What is an NVT in the context of OpenVAS?
CorrectC: Network Vulnerability Test
NVT stands for Network Vulnerability Test β an individual NASL script (or detection routine) that tests for a specific vulnerability on a target system. The OpenVAS NVT feed contains tens of thousands of NVTs, each targeting a particular CVE, misconfiguration, or software version vulnerability. NVTs are regularly updated to cover newly discovered security issues.
IncorrectC: Network Vulnerability Test
NVT stands for Network Vulnerability Test β an individual NASL script (or detection routine) that tests for a specific vulnerability on a target system. The OpenVAS NVT feed contains tens of thousands of NVTs, each targeting a particular CVE, misconfiguration, or software version vulnerability. NVTs are regularly updated to cover newly discovered security issues.
6Which of the following best describes an "Authenticated Scan" (Credentialed Scan) in OpenVAS?
CorrectB: A scan that utilizes provided user credentials (like SSH or SMB) to log into the target machine and check for local vulnerabilities and missing patches
An Authenticated (or Credentialed) Scan provides login credentials (SSH for Linux, SMB/WMI for Windows) to OpenVAS, allowing the scanner to log into target machines and perform Local Security Checks (LSCs). This enables detection of missing patches, insecure configurations, and locally-installed vulnerable software that is invisible to an unauthenticated network scan.
IncorrectB: A scan that utilizes provided user credentials (like SSH or SMB) to log into the target machine and check for local vulnerabilities and missing patches
An Authenticated (or Credentialed) Scan provides login credentials (SSH for Linux, SMB/WMI for Windows) to OpenVAS, allowing the scanner to log into target machines and perform Local Security Checks (LSCs). This enables detection of missing patches, insecure configurations, and locally-installed vulnerable software that is invisible to an unauthenticated network scan.
7What is the name of the web-based graphical user interface used to manage OpenVAS?
CorrectD: Greenbone Security Assistant (GSA)
The Greenbone Security Assistant (GSA) is the web-based GUI for managing GVM/OpenVAS. It is served by the gsad daemon and communicates with gvmd (the Greenbone Vulnerability Manager Daemon) via GMP (Greenbone Management Protocol). GSA provides dashboards for tasks, targets, results, and reports.
IncorrectD: Greenbone Security Assistant (GSA)
The Greenbone Security Assistant (GSA) is the web-based GUI for managing GVM/OpenVAS. It is served by the gsad daemon and communicates with gvmd (the Greenbone Vulnerability Manager Daemon) via GMP (Greenbone Management Protocol). GSA provides dashboards for tasks, targets, results, and reports.
8What standard scoring system does OpenVAS use to communicate the severity of a discovered vulnerability?
CorrectB: CVSS (Common Vulnerability Scoring System)
OpenVAS uses CVSS (Common Vulnerability Scoring System) to score vulnerability severity. CVSS provides a numerical score (0.0β10.0) based on metrics like attack vector, complexity, privileges required, and impact. OpenVAS maps CVSS scores to descriptive levels: Log (0), Low (0.1β3.9), Medium (4.0β6.9), High (7.0β8.9), and Critical (9.0β10.0).
IncorrectB: CVSS (Common Vulnerability Scoring System)
OpenVAS uses CVSS (Common Vulnerability Scoring System) to score vulnerability severity. CVSS provides a numerical score (0.0β10.0) based on metrics like attack vector, complexity, privileges required, and impact. OpenVAS maps CVSS scores to descriptive levels: Log (0), Low (0.1β3.9), Medium (4.0β6.9), High (7.0β8.9), and Critical (9.0β10.0).
9Which of the following represents a "False Positive" in an OpenVAS scan report?
CorrectA: The scanner reports a vulnerability on a system, but manual verification proves the system is actually secure and not vulnerable
A False Positive occurs when OpenVAS reports a vulnerability that does not actually exist on the target system. This commonly happens when NVTs detect a vulnerable banner/version string but a compensating control (patch, WAF, configuration) actually mitigates the vulnerability. False positives must be manually validated and can be managed using OpenVAS "Overrides" to suppress them in future reports.
IncorrectA: The scanner reports a vulnerability on a system, but manual verification proves the system is actually secure and not vulnerable
A False Positive occurs when OpenVAS reports a vulnerability that does not actually exist on the target system. This commonly happens when NVTs detect a vulnerable banner/version string but a compensating control (patch, WAF, configuration) actually mitigates the vulnerability. False positives must be manually validated and can be managed using OpenVAS "Overrides" to suppress them in future reports.
10What is the "Greenbone Community Feed" (GCF)?
CorrectC: A freely available, regularly updated database of NVTs provided by Greenbone for community users
The Greenbone Community Feed (GCF) is a free, publicly available feed of NVTs maintained by Greenbone Networks. It is updated regularly and covers the majority of publicly disclosed CVEs. It is the default feed used in open-source OpenVAS/GVM installations. The commercial Greenbone Security Feed (GSF) provides additional enterprise, compliance, and policy-based NVTs not found in the community feed.
IncorrectC: A freely available, regularly updated database of NVTs provided by Greenbone for community users
The Greenbone Community Feed (GCF) is a free, publicly available feed of NVTs maintained by Greenbone Networks. It is updated regularly and covers the majority of publicly disclosed CVEs. It is the default feed used in open-source OpenVAS/GVM installations. The commercial Greenbone Security Feed (GSF) provides additional enterprise, compliance, and policy-based NVTs not found in the community feed.
11OpenVAS relies heavily on which widely used open-source tool to perform initial host discovery and port scanning before running NVTs?
CorrectD: Nmap
OpenVAS uses Nmap (Network Mapper) as its primary tool for host discovery and port scanning. Nmap probes the target network to identify live hosts and open TCP/UDP ports. OpenVAS then uses this port data to select and deploy only the relevant NVTs β making the scan more efficient by avoiding unnecessary checks against closed ports.
IncorrectD: Nmap
OpenVAS uses Nmap (Network Mapper) as its primary tool for host discovery and port scanning. Nmap probes the target network to identify live hosts and open TCP/UDP ports. OpenVAS then uses this port data to select and deploy only the relevant NVTs β making the scan more efficient by avoiding unnecessary checks against closed ports.
12In the OpenVAS interface, what is a "Target"?
CorrectA: A defined set of IP addresses, hostnames, or subnets that will be scanned for vulnerabilities
A Target in OpenVAS/GVM defines the scope of the scan: the IP addresses, hostnames, CIDR subnets, or IP ranges that the scanner will assess. Target configurations also include optional credentials (for authenticated scanning), port lists, and alive-test methods. A single Target object can be reused across multiple Tasks.
IncorrectA: A defined set of IP addresses, hostnames, or subnets that will be scanned for vulnerabilities
A Target in OpenVAS/GVM defines the scope of the scan: the IP addresses, hostnames, CIDR subnets, or IP ranges that the scanner will assess. Target configurations also include optional credentials (for authenticated scanning), port lists, and alive-test methods. A single Target object can be reused across multiple Tasks.
13How does OpenVAS differentiate from a Penetration Testing framework like Metasploit?
CorrectC: OpenVAS identifies and reports on potential vulnerabilities; Metasploit provides the tools to actively exploit and compromise those vulnerabilities
OpenVAS is a vulnerability scanner β it identifies, assesses, and reports on vulnerabilities without actively exploiting them. Metasploit is a penetration testing framework that provides fully functional exploit modules to compromise vulnerable systems. The workflow in a security engagement often runs OpenVAS first (vulnerability discovery), then validates critical findings manually using Metasploit (exploitation).
IncorrectC: OpenVAS identifies and reports on potential vulnerabilities; Metasploit provides the tools to actively exploit and compromise those vulnerabilities
OpenVAS is a vulnerability scanner β it identifies, assesses, and reports on vulnerabilities without actively exploiting them. Metasploit is a penetration testing framework that provides fully functional exploit modules to compromise vulnerable systems. The workflow in a security engagement often runs OpenVAS first (vulnerability discovery), then validates critical findings manually using Metasploit (exploitation).
14What is a "Task" in the Greenbone Vulnerability Management interface?
CorrectC: The combination of a specific Target, a Scan Configuration, and a Schedule to execute a scan
A Task is the core operational unit in GVM: it binds together a Target (what to scan), a Scan Configuration (which NVTs and settings to use), optional Credentials (for authenticated scanning), and an optional Schedule (when to run). Tasks can be run manually, scheduled for recurrence, or triggered via the GMP API.
IncorrectC: The combination of a specific Target, a Scan Configuration, and a Schedule to execute a scan
A Task is the core operational unit in GVM: it binds together a Target (what to scan), a Scan Configuration (which NVTs and settings to use), optional Credentials (for authenticated scanning), and an optional Schedule (when to run). Tasks can be run manually, scheduled for recurrence, or triggered via the GMP API.
15Which of the following formats is natively supported by OpenVAS for exporting vulnerability reports?
CorrectB: .PDF, .CSV, and .XML
GVM natively supports exporting reports in multiple formats including PDF (for human-readable executive and technical reports), CSV (for spreadsheet analysis), and XML (for machine-readable integration with SIEMs and vulnerability management platforms). Additional formats like HTML and XML-based formats (VERINICE, TXT) are also available through report format plugins.
IncorrectB: .PDF, .CSV, and .XML
GVM natively supports exporting reports in multiple formats including PDF (for human-readable executive and technical reports), CSV (for spreadsheet analysis), and XML (for machine-readable integration with SIEMs and vulnerability management platforms). Additional formats like HTML and XML-based formats (VERINICE, TXT) are also available through report format plugins.
16Why is it highly recommended to routinely update the OpenVAS feeds before running a scan?
CorrectD: To ensure the scanner has the latest detection scripts for newly discovered CVEs and software flaws
Vulnerability feeds (NVTs, SCAP data, CERT advisories) must be updated regularly because new vulnerabilities are continuously discovered and assigned CVEs. Without updates, the scanner cannot detect recently disclosed vulnerabilities, giving a dangerously false sense of security. Greenbone releases feed updates daily; running scans with a stale feed means missing potentially critical new vulnerabilities.
IncorrectD: To ensure the scanner has the latest detection scripts for newly discovered CVEs and software flaws
Vulnerability feeds (NVTs, SCAP data, CERT advisories) must be updated regularly because new vulnerabilities are continuously discovered and assigned CVEs. Without updates, the scanner cannot detect recently disclosed vulnerabilities, giving a dangerously false sense of security. Greenbone releases feed updates daily; running scans with a stale feed means missing potentially critical new vulnerabilities.
17What does the term "CVE" represent when viewing an OpenVAS vulnerability report?
CorrectA: Common Vulnerabilities and Exposures (a standardized identifier for known information security vulnerabilities)
CVE stands for Common Vulnerabilities and Exposures β a public, standardized catalogue maintained by MITRE that assigns unique identifiers (e.g., CVE-2021-44228 for Log4Shell) to publicly known information security vulnerabilities. OpenVAS NVTs reference CVE IDs in their metadata, allowing security teams to cross-reference findings with patch advisories, vendor bulletins, and CVSS scores in the NVD.
IncorrectA: Common Vulnerabilities and Exposures (a standardized identifier for known information security vulnerabilities)
CVE stands for Common Vulnerabilities and Exposures β a public, standardized catalogue maintained by MITRE that assigns unique identifiers (e.g., CVE-2021-44228 for Log4Shell) to publicly known information security vulnerabilities. OpenVAS NVTs reference CVE IDs in their metadata, allowing security teams to cross-reference findings with patch advisories, vendor bulletins, and CVSS scores in the NVD.
18If a system administrator wants OpenVAS to perform a deep inspection of installed software versions on a Linux target, what must be provided in the target configuration?
CorrectC: Valid SSH credentials with appropriate privileges (e.g., root or sudo access)
To perform Local Security Checks (LSCs) on a Linux target β checking installed package versions against known-vulnerable versions β OpenVAS requires SSH credentials with sufficient privilege. Root or sudoer access allows the scanner to run package manager queries (dpkg, rpm, etc.) and read configuration files. Without credentials, OpenVAS can only report network-visible vulnerabilities.
IncorrectC: Valid SSH credentials with appropriate privileges (e.g., root or sudo access)
To perform Local Security Checks (LSCs) on a Linux target β checking installed package versions against known-vulnerable versions β OpenVAS requires SSH credentials with sufficient privilege. Root or sudoer access allows the scanner to run package manager queries (dpkg, rpm, etc.) and read configuration files. Without credentials, OpenVAS can only report network-visible vulnerabilities.
19What is a "False Negative" in the context of an OpenVAS scan?
CorrectD: The scanner fails to detect a vulnerability that is genuinely present on the target system
A False Negative is when OpenVAS fails to detect a vulnerability that actually exists on the target system. This is the more dangerous error type in vulnerability management. Common causes include: stale NVT feed missing new CVEs, the vulnerability being hidden behind a firewall or IPS, missing credentials required for authenticated checks, or a misconfigured scan configuration that excludes the relevant NVT family.
IncorrectD: The scanner fails to detect a vulnerability that is genuinely present on the target system
A False Negative is when OpenVAS fails to detect a vulnerability that actually exists on the target system. This is the more dangerous error type in vulnerability management. Common causes include: stale NVT feed missing new CVEs, the vulnerability being hidden behind a firewall or IPS, missing credentials required for authenticated checks, or a misconfigured scan configuration that excludes the relevant NVT family.
20Which of the following scan configurations is provided by default in OpenVAS for conducting a standard, well-rounded network assessment?
CorrectD: Full and Fast
"Full and Fast" is the default and most commonly used built-in scan configuration in OpenVAS/GVM. It runs a comprehensive set of NVTs covering all major vulnerability categories while using optimized timeouts to keep scans time-efficient. It skips service-specific NVTs if the targeted service is not detected as running, avoiding unnecessary scan time. It is the recommended starting point for standard network assessments.
IncorrectD: Full and Fast
"Full and Fast" is the default and most commonly used built-in scan configuration in OpenVAS/GVM. It runs a comprehensive set of NVTs covering all major vulnerability categories while using optimized timeouts to keep scans time-efficient. It skips service-specific NVTs if the targeted service is not detected as running, avoiding unnecessary scan time. It is the recommended starting point for standard network assessments.
OpenVAS & GVM β Concepts
1In modern deployments, OpenVAS is a component of a larger architectural framework known as GVM. What does GVM stand for?
CorrectB: Greenbone Vulnerability Management
GVM stands for Greenbone Vulnerability Management β the overarching framework developed by Greenbone Networks that encompasses the full vulnerability management lifecycle. OpenVAS (the scanner engine) is one component within GVM. The full GVM stack includes gvmd (manager), gsad (web UI), ospd-openvas (scanner daemon), Redis (NVT cache), and PostgreSQL (database).
IncorrectB: Greenbone Vulnerability Management
GVM stands for Greenbone Vulnerability Management β the overarching framework developed by Greenbone Networks that encompasses the full vulnerability management lifecycle. OpenVAS (the scanner engine) is one component within GVM. The full GVM stack includes gvmd (manager), gsad (web UI), ospd-openvas (scanner daemon), Redis (NVT cache), and PostgreSQL (database).
2Which architectural component serves as the central management service, handling the database, users, tasks, and report generation in a GVM deployment?
CorrectC: gvmd (Greenbone Vulnerability Manager Daemon)
gvmd (Greenbone Vulnerability Manager Daemon) is the central brain of the GVM architecture. It manages the PostgreSQL database (storing users, tasks, targets, configs, results), handles user authentication, orchestrates scan task delegation to scanner daemons, and generates reports. The GMP (Greenbone Management Protocol) API is exposed by gvmd, allowing both the GSA web interface and automation scripts to control it.
IncorrectC: gvmd (Greenbone Vulnerability Manager Daemon)
gvmd (Greenbone Vulnerability Manager Daemon) is the central brain of the GVM architecture. It manages the PostgreSQL database (storing users, tasks, targets, configs, results), handles user authentication, orchestrates scan task delegation to scanner daemons, and generates reports. The GMP (Greenbone Management Protocol) API is exposed by gvmd, allowing both the GSA web interface and automation scripts to control it.
3What is the role of ospd-openvas within the GVM architecture?
CorrectC: It acts as the actual scanner daemon, executing the NVTs against targets and returning the results to the manager
ospd-openvas is the scanner daemon that wraps the OpenVAS scanner engine and exposes it to gvmd via the OSP (Open Scanner Protocol). When gvmd dispatches a scan task, ospd-openvas retrieves the relevant NVTs from the Redis cache, executes them against the targets, and streams results back to gvmd for storage and reporting. It is the component that performs the actual network probing.
IncorrectC: It acts as the actual scanner daemon, executing the NVTs against targets and returning the results to the manager
ospd-openvas is the scanner daemon that wraps the OpenVAS scanner engine and exposes it to gvmd via the OSP (Open Scanner Protocol). When gvmd dispatches a scan task, ospd-openvas retrieves the relevant NVTs from the Redis cache, executes them against the targets, and streams results back to gvmd for storage and reporting. It is the component that performs the actual network probing.
4Which underlying relational database management system does GVM currently use to store configurations, tasks, and report data?
CorrectA: PostgreSQL
GVM uses PostgreSQL as its backend relational database. It stores all persistent data: users, roles, targets, scan configurations, credentials, tasks, reports, and audit logs. PostgreSQL was chosen over SQLite (used in earlier versions) for its superior performance, concurrency handling, and scalability for large enterprise deployments with extensive historical scan data.
IncorrectA: PostgreSQL
GVM uses PostgreSQL as its backend relational database. It stores all persistent data: users, roles, targets, scan configurations, credentials, tasks, reports, and audit logs. PostgreSQL was chosen over SQLite (used in earlier versions) for its superior performance, concurrency handling, and scalability for large enterprise deployments with extensive historical scan data.
5What is the "Quality of Detection" (QoD) metric used for in OpenVAS reports?
CorrectD: To represent the reliability and confidence level of a vulnerability finding (e.g., distinguishing between a banner-based guess and an authenticated file check)
QoD (Quality of Detection) is a percentage (0β100%) assigned to each vulnerability finding indicating how confident the detection method is. Low QoD (e.g., 30%) means the detection was based on a banner/version guess that could generate false positives. High QoD (e.g., 97β100%) means the vulnerability was confirmed through authenticated exploitation proof or direct file access. By default, OpenVAS filters out findings below 70% QoD to reduce false positive noise.
IncorrectD: To represent the reliability and confidence level of a vulnerability finding (e.g., distinguishing between a banner-based guess and an authenticated file check)
QoD (Quality of Detection) is a percentage (0β100%) assigned to each vulnerability finding indicating how confident the detection method is. Low QoD (e.g., 30%) means the detection was based on a banner/version guess that could generate false positives. High QoD (e.g., 97β100%) means the vulnerability was confirmed through authenticated exploitation proof or direct file access. By default, OpenVAS filters out findings below 70% QoD to reduce false positive noise.
6What does GMP (Greenbone Management Protocol) facilitate?
CorrectB: It is the XML-based API protocol used to programmatically control gvmd for automating scans and retrieving reports
GMP (Greenbone Management Protocol) is the XML-based API protocol through which clients communicate with gvmd. It exposes commands like create_task, start_task, get_results, and get_reports, allowing security teams to fully automate the vulnerability management lifecycle via scripts, CI/CD pipelines, or SOAR integrations. The gvm-tools Python library provides a high-level wrapper around GMP.
IncorrectB: It is the XML-based API protocol used to programmatically control gvmd for automating scans and retrieving reports
GMP (Greenbone Management Protocol) is the XML-based API protocol through which clients communicate with gvmd. It exposes commands like create_task, start_task, get_results, and get_reports, allowing security teams to fully automate the vulnerability management lifecycle via scripts, CI/CD pipelines, or SOAR integrations. The gvm-tools Python library provides a high-level wrapper around GMP.
7In a GVM architecture, how does the scanner (ospd-openvas) temporarily store and quickly access the thousands of NVTs during a scan?
CorrectC: By utilizing an in-memory Redis database instance
Redis (an in-memory key-value store) is used as the NVT knowledge base cache during scan runtime. After a feed update, the NVT files (NASL scripts) are parsed and their metadata (OIDs, dependencies, timeout values, CVE references) are loaded into Redis. ospd-openvas reads from Redis at scan time for high-speed NVT lookup, allowing it to rapidly select and execute the appropriate tests without filesystem I/O overhead.
IncorrectC: By utilizing an in-memory Redis database instance
Redis (an in-memory key-value store) is used as the NVT knowledge base cache during scan runtime. After a feed update, the NVT files (NASL scripts) are parsed and their metadata (OIDs, dependencies, timeout values, CVE references) are loaded into Redis. ospd-openvas reads from Redis at scan time for high-speed NVT lookup, allowing it to rapidly select and execute the appropriate tests without filesystem I/O overhead.
8If an administrator is scanning a fragile legacy IoT device and wants to ensure the scanner does NOT execute NVTs that could potentially crash the device, which setting should be verified?
CorrectA: Enable "Safe Checks" in the scan configuration
"Safe Checks" is a scan configuration preference that instructs OpenVAS to avoid running NVTs that could cause disruption, instability, or crashes on target systems. When enabled, NVTs that would send malformed packets or perform destructive probes are skipped or use passive detection methods instead. This is critical when scanning production systems, fragile IoT firmware, industrial control systems, or systems with limited TCP/IP stack implementations.
IncorrectA: Enable "Safe Checks" in the scan configuration
"Safe Checks" is a scan configuration preference that instructs OpenVAS to avoid running NVTs that could cause disruption, instability, or crashes on target systems. When enabled, NVTs that would send malformed packets or perform destructive probes are skipped or use passive detection methods instead. This is critical when scanning production systems, fragile IoT firmware, industrial control systems, or systems with limited TCP/IP stack implementations.
9What is the primary difference between the "Full and Fast" and "Full and Very Deep" default scan configurations?
CorrectC: "Full and Fast" relies on optimized timeouts and skips NVTs if a service is unresponsive, whereas "Full and Very Deep" ignores timeouts and performs exhaustive checks regardless of scan duration
"Full and Fast" is time-optimized: it uses dependency optimization, skips NVTs for non-detected services, and respects configurable timeouts. "Full and Very Deep" removes these optimizations, running all applicable NVTs regardless of whether a service was detected and ignoring timeout constraints β resulting in much longer scan times but potentially uncovering vulnerabilities that the time-limited scan would miss on slow-responding services.
IncorrectC: "Full and Fast" relies on optimized timeouts and skips NVTs if a service is unresponsive, whereas "Full and Very Deep" ignores timeouts and performs exhaustive checks regardless of scan duration
"Full and Fast" is time-optimized: it uses dependency optimization, skips NVTs for non-detected services, and respects configurable timeouts. "Full and Very Deep" removes these optimizations, running all applicable NVTs regardless of whether a service was detected and ignoring timeout constraints β resulting in much longer scan times but potentially uncovering vulnerabilities that the time-limited scan would miss on slow-responding services.
10How does OpenVAS handle "Overrides" in vulnerability reporting?
CorrectB: It allows administrators to mark specific false positives or accepted risks to artificially modify their severity in future reports without changing the underlying NVT
Overrides in GVM allow security teams to customize how specific vulnerability findings are displayed in reports. A finding identified as a false positive can have its severity overridden to 0.0 (suppressed), and internally accepted business risks can have their severity adjusted without modifying the underlying NVT. Overrides are scoped by NVT, host, port, and can have expiry dates, enabling proper risk acceptance workflow.
IncorrectB: It allows administrators to mark specific false positives or accepted risks to artificially modify their severity in future reports without changing the underlying NVT
Overrides in GVM allow security teams to customize how specific vulnerability findings are displayed in reports. A finding identified as a false positive can have its severity overridden to 0.0 (suppressed), and internally accepted business risks can have their severity adjusted without modifying the underlying NVT. Overrides are scoped by NVT, host, port, and can have expiry dates, enabling proper risk acceptance workflow.
11When performing an authenticated SMB scan against a Windows environment, why might OpenVAS fail to perform Local Security Checks (LSCs) even if the credentials are correct?
CorrectD: The credentials provided belong to a standard user lacking local Administrator privileges, or UAC (User Account Control) is preventing remote registry access
For Windows LSCs, OpenVAS requires credentials with Local Administrator privileges and the ability to access the remote registry and administrative file shares (e.g., C$). Standard user accounts are blocked by UAC from accessing the registry remotely. Even with correct credentials, if UAC Remote Restrictions are enabled (the default on modern Windows), OpenVAS will receive authentication errors and fail to perform patch-level checks.
IncorrectD: The credentials provided belong to a standard user lacking local Administrator privileges, or UAC (User Account Control) is preventing remote registry access
For Windows LSCs, OpenVAS requires credentials with Local Administrator privileges and the ability to access the remote registry and administrative file shares (e.g., C$). Standard user accounts are blocked by UAC from accessing the registry remotely. Even with correct credentials, if UAC Remote Restrictions are enabled (the default on modern Windows), OpenVAS will receive authentication errors and fail to perform patch-level checks.
12What is the purpose of OSPD (Open Scanner Protocol Daemon)?
CorrectB: To provide a standardized Python framework that allows GVM to control multiple disparate vulnerability scanners (like OpenVAS) through a unified protocol
OSPD (Open Scanner Protocol Daemon) is a Python base library that defines a standard protocol for integrating any vulnerability scanner with GVM. ospd-openvas is the specific implementation that wraps the OpenVAS scanning engine. The OSPD abstraction means that GVM can theoretically control other scanners (e.g., Nikto, Nmap-based scanners) by building OSPD-compliant wrappers for them, all managed through the same gvmd interface.
IncorrectB: To provide a standardized Python framework that allows GVM to control multiple disparate vulnerability scanners (like OpenVAS) through a unified protocol
OSPD (Open Scanner Protocol Daemon) is a Python base library that defines a standard protocol for integrating any vulnerability scanner with GVM. ospd-openvas is the specific implementation that wraps the OpenVAS scanning engine. The OSPD abstraction means that GVM can theoretically control other scanners (e.g., Nikto, Nmap-based scanners) by building OSPD-compliant wrappers for them, all managed through the same gvmd interface.
13Which component of the GVM stack provides the web server and graphical interface?
CorrectB: gsad (Greenbone Security Assistant Daemon)
gsad (Greenbone Security Assistant Daemon) serves the GSA web application. It hosts the HTTPS web server, handles user session management, and communicates with gvmd via GMP over a Unix socket or TCP connection. When a user interacts with the GSA web dashboard, gsad translates those HTTP requests into GMP protocol calls to gvmd and renders the responses back as the web interface.
IncorrectB: gsad (Greenbone Security Assistant Daemon)
gsad (Greenbone Security Assistant Daemon) serves the GSA web application. It hosts the HTTPS web server, handles user session management, and communicates with gvmd via GMP over a Unix socket or TCP connection. When a user interacts with the GSA web dashboard, gsad translates those HTTP requests into GMP protocol calls to gvmd and renders the responses back as the web interface.
14In OpenVAS, what is the function of a "Port List"?
CorrectC: A predefined list of TCP and UDP ports that the scanner will target during the host discovery and enumeration phase
A Port List in GVM defines which TCP and/or UDP ports the scanner will probe during a scan. Built-in port lists include "All TCP", "All TCP and Nmap Top 100 UDP", and "OpenVAS default". Selecting a more comprehensive port list increases scan coverage but also significantly increases scan duration. Administrators can create custom port lists targeting only the ports relevant to their specific environment.
IncorrectC: A predefined list of TCP and UDP ports that the scanner will target during the host discovery and enumeration phase
A Port List in GVM defines which TCP and/or UDP ports the scanner will probe during a scan. Built-in port lists include "All TCP", "All TCP and Nmap Top 100 UDP", and "OpenVAS default". Selecting a more comprehensive port list increases scan coverage but also significantly increases scan duration. Administrators can create custom port lists targeting only the ports relevant to their specific environment.
15What is the primary advantage of deploying a Distributed GVM Architecture (Master/Sensor setup)?
CorrectD: It enables a central Master node to manage tasks and aggregate reports while offloading the actual scanning workload to remote Sensor nodes placed in different network segments
In a Master/Sensor (Distributed) GVM architecture, a central GVM Master instance manages tasks, users, and centralizes reporting. Remote Sensor nodes (running ospd-openvas) are deployed in different network segments (e.g., behind firewalls, in DMZs, in branch offices) and perform the actual scanning locally. This enables scanning of segmented networks without creating broad firewall rules to allow scanner traffic across all segments.
IncorrectD: It enables a central Master node to manage tasks and aggregate reports while offloading the actual scanning workload to remote Sensor nodes placed in different network segments
In a Master/Sensor (Distributed) GVM architecture, a central GVM Master instance manages tasks, users, and centralizes reporting. Remote Sensor nodes (running ospd-openvas) are deployed in different network segments (e.g., behind firewalls, in DMZs, in branch offices) and perform the actual scanning locally. This enables scanning of segmented networks without creating broad firewall rules to allow scanner traffic across all segments.
16During the update process, what command is traditionally used to synchronize the NVT feed from Greenbone servers to the local installation?
CorrectB: greenbone-nvt-sync (or gvm-feed-update depending on the installation method)
The traditional command for synchronizing the Greenbone NVT feed is greenbone-nvt-sync (for older GVM versions) or gvm-feed-update (in newer GVM installations via gvm-tools/official packages). Additionally, greenbone-scapdata-sync and greenbone-certdata-sync update the SCAP vulnerability database and CERT advisories respectively. Modern deployments can automate these with systemd timers or cron jobs.
IncorrectB: greenbone-nvt-sync (or gvm-feed-update depending on the installation method)
The traditional command for synchronizing the Greenbone NVT feed is greenbone-nvt-sync (for older GVM versions) or gvm-feed-update (in newer GVM installations via gvm-tools/official packages). Additionally, greenbone-scapdata-sync and greenbone-certdata-sync update the SCAP vulnerability database and CERT advisories respectively. Modern deployments can automate these with systemd timers or cron jobs.
17How can OpenVAS be configured to send an email notification automatically when a critical vulnerability is detected?
CorrectC: By creating an "Alert" associated with a specific Task, triggering conditionally based on severity thresholds
GVM's Alert system allows administrators to configure automated notifications tied to specific Task outcomes. Alerts can be triggered by conditions like "new results with severity > 7.0 found" or "task status changed to Done." Alert actions include sending emails (via SMTP), Syslog messages, HTTP requests (webhooks), SMB file creation, and Sourcefire integration β enabling real-time notification workflows.
IncorrectC: By creating an "Alert" associated with a specific Task, triggering conditionally based on severity thresholds
GVM's Alert system allows administrators to configure automated notifications tied to specific Task outcomes. Alerts can be triggered by conditions like "new results with severity > 7.0 found" or "task status changed to Done." Alert actions include sending emails (via SMTP), Syslog messages, HTTP requests (webhooks), SMB file creation, and Sourcefire integration β enabling real-time notification workflows.
18What is the relationship between CPE (Common Platform Enumeration) and OpenVAS?
CorrectA: OpenVAS uses CPE identifiers to precisely catalog and match discovered operating systems, applications, and hardware devices to known vulnerabilities
CPE (Common Platform Enumeration) is a standardized naming convention for software, operating systems, and hardware (e.g., cpe:/a:apache:http_server:2.4.49). OpenVAS NVTs identify discovered software and map it to CPE strings, which are then cross-referenced against the SCAP vulnerability database to find matching CVEs. This CPE-CVE mapping is central to how OpenVAS correlates discovered software versions to known vulnerabilities.
IncorrectA: OpenVAS uses CPE identifiers to precisely catalog and match discovered operating systems, applications, and hardware devices to known vulnerabilities
CPE (Common Platform Enumeration) is a standardized naming convention for software, operating systems, and hardware (e.g., cpe:/a:apache:http_server:2.4.49). OpenVAS NVTs identify discovered software and map it to CPE strings, which are then cross-referenced against the SCAP vulnerability database to find matching CVEs. This CPE-CVE mapping is central to how OpenVAS correlates discovered software versions to known vulnerabilities.
19If an administrator notices a scan taking an extraordinarily long time to complete on a large subnet, which setting in the Task configuration could be adjusted to optimize speed?
CorrectB: Maximum concurrently executed NVTs per host / Maximum concurrently scanned hosts
The "Maximum concurrently executed NVTs per host" and "Maximum concurrently scanned hosts" settings control scan parallelism. Increasing these values allows OpenVAS to scan more hosts and run more NVTs in parallel, significantly reducing total scan duration for large subnets. However, excessively high values can overwhelm the scanner server's CPU/memory resources or trigger IPS alerts on target networks β a balance must be struck based on available hardware.
IncorrectB: Maximum concurrently executed NVTs per host / Maximum concurrently scanned hosts
The "Maximum concurrently executed NVTs per host" and "Maximum concurrently scanned hosts" settings control scan parallelism. Increasing these values allows OpenVAS to scan more hosts and run more NVTs in parallel, significantly reducing total scan duration for large subnets. However, excessively high values can overwhelm the scanner server's CPU/memory resources or trigger IPS alerts on target networks β a balance must be struck based on available hardware.
20What is a notable limitation of the Greenbone Community Feed (GCF) compared to the commercial Greenbone Security Feed (GSF)?
CorrectD: The Community Feed is delayed by 30 days and lacks specific enterprise/compliance NVTs (like policy auditing and specific enterprise product checks)
The Greenbone Community Feed (GCF) is delayed by approximately 30 days compared to the commercial Greenbone Security Feed (GSF). Additionally, GSF includes enterprise-grade NVTs covering policy compliance checks (CIS benchmarks, PCI DSS, HIPAA), specific enterprise software (SAP, Cisco, Citrix), and configuration audit policies that are absent from the community feed β making GSF significantly more comprehensive for compliance-driven organizations.
IncorrectD: The Community Feed is delayed by 30 days and lacks specific enterprise/compliance NVTs (like policy auditing and specific enterprise product checks)
The Greenbone Community Feed (GCF) is delayed by approximately 30 days compared to the commercial Greenbone Security Feed (GSF). Additionally, GSF includes enterprise-grade NVTs covering policy compliance checks (CIS benchmarks, PCI DSS, HIPAA), specific enterprise software (SAP, Cisco, Citrix), and configuration audit policies that are absent from the community feed β making GSF significantly more comprehensive for compliance-driven organizations.
OpenVAS & GVM β Advanced
1What underlying scripting language are OpenVAS Network Vulnerability Tests (NVTs) written in?
CorrectB: NASL (Nessus Attack Scripting Language)
OpenVAS NVTs are written in NASL (Nessus Attack Scripting Language) β a domain-specific scripting language originally developed for Nessus and retained by OpenVAS when it forked. NASL provides built-in network functions for socket manipulation, packet crafting, service probing, and pattern matching. Each NASL script encodes the logic for detecting a specific vulnerability: it opens connections, retrieves banners, and determines whether a target is vulnerable.
IncorrectB: NASL (Nessus Attack Scripting Language)
OpenVAS NVTs are written in NASL (Nessus Attack Scripting Language) β a domain-specific scripting language originally developed for Nessus and retained by OpenVAS when it forked. NASL provides built-in network functions for socket manipulation, packet crafting, service probing, and pattern matching. Each NASL script encodes the logic for detecting a specific vulnerability: it opens connections, retrieves banners, and determines whether a target is vulnerable.
2Which tool provides a command-line interface and Python library for automating GVM tasks via the Greenbone Management Protocol (GMP)?
CorrectC: gvm-tools
gvm-tools is the official CLI and Python library for GVM automation. It provides gvm-cli (a command-line GMP client) and python-gvm (a Python library exposing a high-level GMP API). Security teams use gvm-tools to script vulnerability scan workflows: creating targets, starting tasks, polling for completion, downloading XML reports, and parsing results for SIEM or ticketing system integration.
IncorrectC: gvm-tools
gvm-tools is the official CLI and Python library for GVM automation. It provides gvm-cli (a command-line GMP client) and python-gvm (a Python library exposing a high-level GMP API). Security teams use gvm-tools to script vulnerability scan workflows: creating targets, starting tasks, polling for completion, downloading XML reports, and parsing results for SIEM or ticketing system integration.
3In a highly secure, air-gapped network, how must a GVM administrator update the vulnerability feeds?
CorrectD: By downloading the feed archives on an internet-connected machine, transferring them via physical media, and utilizing the sync command pointing to the local directory
For air-gapped environments, Greenbone provides offline feed bundles. The process is: (1) download the compressed NVT/SCAP/CERT feed archives on an internet-connected machine, (2) transfer via USB/DVD/secure file transfer to the air-gapped GVM server, (3) run the sync commands with the --feeddir parameter pointing to the local extracted directory. This ensures even classified network GVM installations stay current without internet connectivity.
IncorrectD: By downloading the feed archives on an internet-connected machine, transferring them via physical media, and utilizing the sync command pointing to the local directory
For air-gapped environments, Greenbone provides offline feed bundles. The process is: (1) download the compressed NVT/SCAP/CERT feed archives on an internet-connected machine, (2) transfer via USB/DVD/secure file transfer to the air-gapped GVM server, (3) run the sync commands with the --feeddir parameter pointing to the local extracted directory. This ensures even classified network GVM installations stay current without internet connectivity.
4What happens under the hood if ospd-openvas loses its connection to the Redis cache?
CorrectD: The scanner daemon will fail to execute NVTs, resulting in empty or failed scan reports, as Redis is mandatory for storing the NVT knowledge base during runtime
Redis is architecturally mandatory for ospd-openvas: the NVT metadata, dependencies, and preferences are loaded into Redis during feed synchronization. At scan time, ospd-openvas reads NVT data exclusively from Redis β there is no fallback to filesystem or PostgreSQL for NVT execution. If Redis is down, ospd-openvas cannot retrieve NVT information and will produce failed or empty scan reports. Redis connectivity must be verified before running scans.
IncorrectD: The scanner daemon will fail to execute NVTs, resulting in empty or failed scan reports, as Redis is mandatory for storing the NVT knowledge base during runtime
Redis is architecturally mandatory for ospd-openvas: the NVT metadata, dependencies, and preferences are loaded into Redis during feed synchronization. At scan time, ospd-openvas reads NVT data exclusively from Redis β there is no fallback to filesystem or PostgreSQL for NVT execution. If Redis is down, ospd-openvas cannot retrieve NVT information and will produce failed or empty scan reports. Redis connectivity must be verified before running scans.
5If a security engineer wants to write a custom NVT to check for an in-house proprietary software vulnerability, what essential components must be included in the NASL script?
CorrectC: A unique OID (Object Identifier), description, script dependencies, and the execution logic
A valid OpenVAS NVT NASL script requires: (1) a unique OID (e.g., 1.3.6.1.4.1.XXX.1) registered in the script_oid() call, (2) metadata functions (script_name(), script_description(), script_summary(), script_category(), script_copyright()), (3) dependency declarations (script_dependencies()) referencing prerequisite NVTs that must run first, and (4) the actual detection logic in the main() or execute() function using NASL built-ins for network interaction.
IncorrectC: A unique OID (Object Identifier), description, script dependencies, and the execution logic
A valid OpenVAS NVT NASL script requires: (1) a unique OID (e.g., 1.3.6.1.4.1.XXX.1) registered in the script_oid() call, (2) metadata functions (script_name(), script_description(), script_summary(), script_category(), script_copyright()), (3) dependency declarations (script_dependencies()) referencing prerequisite NVTs that must run first, and (4) the actual detection logic in the main() or execute() function using NASL built-ins for network interaction.
6When troubleshooting a GVM installation where the GSA web interface displays "503 Service Unavailable," what is the most likely architectural cause?
CorrectB: The gsad daemon cannot establish a Unix socket or TCP connection to the gvmd manager daemon
A 503 from GSA indicates gsad is running but cannot reach gvmd. The GSA web interface requires a live connection to gvmd (via Unix socket at /run/gvmd/gvmd.sock or via TCP). Troubleshooting steps: (1) check if gvmd is running (systemctl status gvmd), (2) verify socket file exists and has correct permissions, (3) check gvmd logs for startup errors, (4) confirm the socket path configured in gsad matches the actual gvmd socket location.
IncorrectB: The gsad daemon cannot establish a Unix socket or TCP connection to the gvmd manager daemon
A 503 from GSA indicates gsad is running but cannot reach gvmd. The GSA web interface requires a live connection to gvmd (via Unix socket at /run/gvmd/gvmd.sock or via TCP). Troubleshooting steps: (1) check if gvmd is running (systemctl status gvmd), (2) verify socket file exists and has correct permissions, (3) check gvmd logs for startup errors, (4) confirm the socket path configured in gsad matches the actual gvmd socket location.
7How does OpenVAS utilize the find_service NVT family during the initial phases of a scan?
CorrectC: To identify which services are actually running on the open ports discovered by Nmap, allowing the scanner to select only the relevant NVTs to execute against them
After Nmap identifies open ports, the find_service family of NVTs (including find_service.nasl, find_service2.nasl, etc.) probe each open port to fingerprint what service is actually running β regardless of default port assignments. This service fingerprinting is critical: it prevents the scanner from running web-server NVTs against an FTP port, ensuring only contextually appropriate tests are executed, reducing both false positives and scan time.
IncorrectC: To identify which services are actually running on the open ports discovered by Nmap, allowing the scanner to select only the relevant NVTs to execute against them
After Nmap identifies open ports, the find_service family of NVTs (including find_service.nasl, find_service2.nasl, etc.) probe each open port to fingerprint what service is actually running β regardless of default port assignments. This service fingerprinting is critical: it prevents the scanner from running web-server NVTs against an FTP port, ensuring only contextually appropriate tests are executed, reducing both false positives and scan time.
8An authenticated scan of a Linux target using SSH fails to return Local Security Check (LSC) results. You verify the SSH credentials are correct. What is the most likely cause of this specific failure?
CorrectA: The SSH user lacks the necessary sudo privileges to execute the package manager commands (e.g., dpkg or rpm) required to verify installed software versions
LSCs on Linux require the SSH user to be able to execute package manager query commands. For Debian/Ubuntu systems, this means running dpkg -l or apt commands; for RHEL/CentOS, rpm -qa. If the user lacks sudo privileges for these commands, or sudoers is configured with NOEXEC or specific command whitelists that exclude package manager queries, LSC NVTs will fail silently, returning no patch-level data even though SSH authentication succeeds.
IncorrectA: The SSH user lacks the necessary sudo privileges to execute the package manager commands (e.g., dpkg or rpm) required to verify installed software versions
LSCs on Linux require the SSH user to be able to execute package manager query commands. For Debian/Ubuntu systems, this means running dpkg -l or apt commands; for RHEL/CentOS, rpm -qa. If the user lacks sudo privileges for these commands, or sudoers is configured with NOEXEC or specific command whitelists that exclude package manager queries, LSC NVTs will fail silently, returning no patch-level data even though SSH authentication succeeds.
9What is the advanced filtering syntax used within the GVM interface to locate all High and Critical vulnerabilities found on a specific IP address?
CorrectC: host=192.168.1.5 severity>7.0
GVM's built-in PowerFilter syntax uses key=value pairs with comparison operators. The filter "host=192.168.1.5 severity>7.0" retrieves all results for a specific host with CVSS severity above 7.0 (i.e., High and Critical). Other useful filter tokens include: task_id=..., nvt=..., family=..., solution_type=..., and date ranges. Filters can be saved as named filters for repeated use in dashboards and reports.
IncorrectC: host=192.168.1.5 severity>7.0
GVM's built-in PowerFilter syntax uses key=value pairs with comparison operators. The filter "host=192.168.1.5 severity>7.0" retrieves all results for a specific host with CVSS severity above 7.0 (i.e., High and Critical). Other useful filter tokens include: task_id=..., nvt=..., family=..., solution_type=..., and date ranges. Filters can be saved as named filters for repeated use in dashboards and reports.
10In a complex enterprise environment, how are TLS certificates utilized within the internal GVM architecture?
CorrectD: They provide mutual TLS (mTLS) authentication and encryption between the various internal daemons (gsad, gvmd, ospd-openvas) to prevent local privilege escalation and sniffing
GVM uses mutual TLS (mTLS) to secure inter-daemon communication. gsad presents a client certificate when connecting to gvmd; gvmd presents a certificate when connecting to ospd-openvas. This mTLS enforcement prevents local privilege escalation attacks where an unprivileged process attempts to impersonate a GVM daemon over the socket/TCP channel. Certificate management for GVM uses the gvm-manage-certs tool.
IncorrectD: They provide mutual TLS (mTLS) authentication and encryption between the various internal daemons (gsad, gvmd, ospd-openvas) to prevent local privilege escalation and sniffing
GVM uses mutual TLS (mTLS) to secure inter-daemon communication. gsad presents a client certificate when connecting to gvmd; gvmd presents a certificate when connecting to ospd-openvas. This mTLS enforcement prevents local privilege escalation attacks where an unprivileged process attempts to impersonate a GVM daemon over the socket/TCP channel. Certificate management for GVM uses the gvm-manage-certs tool.
11What is the function of the "Alive Test" in an OpenVAS Target configuration?
CorrectC: It dictates the method (e.g., ICMP Ping, TCP-ACK, ARP) the scanner uses to verify a host is online before wasting time launching a full port scan and NVTs against it
The Alive Test setting determines how OpenVAS probes each host to confirm it is reachable before committing scan resources to it. Options include: ICMP Ping (blocked by many firewalls), TCP-ACK Service (more firewall-tolerant), ARP (works only on local subnets), HTTP GET request, or "Scan all hosts regardless" (disables alive testing). Selecting the appropriate method avoids marking live hosts as down simply because ICMP is blocked.
IncorrectC: It dictates the method (e.g., ICMP Ping, TCP-ACK, ARP) the scanner uses to verify a host is online before wasting time launching a full port scan and NVTs against it
The Alive Test setting determines how OpenVAS probes each host to confirm it is reachable before committing scan resources to it. Options include: ICMP Ping (blocked by many firewalls), TCP-ACK Service (more firewall-tolerant), ARP (works only on local subnets), HTTP GET request, or "Scan all hosts regardless" (disables alive testing). Selecting the appropriate method avoids marking live hosts as down simply because ICMP is blocked.
12During a vulnerability scan, OpenVAS triggers an IDS/IPS on the target network, causing the target firewall to drop all further packets from the scanner. Which advanced evasion technique can be configured in OpenVAS to mitigate this?
CorrectC: Altering the "Source IP" via MAC spoofing and adjusting scan timing/fragmentation (though OpenVAS is generally designed for authorized, unevasive internal scanning)
OpenVAS is primarily designed for authorized internal scanning, not IDS evasion β it is explicitly not a stealth tool. However, some mitigations include: reducing scan speed/concurrency to lower per-second packet rates below IPS thresholds, using TCP fragmentation options, adjusting the scan timing, or coordinating IDS exclusions for the scanner's source IP. True evasion-oriented scanning requires purpose-built tools. Using a different NVT feed has no impact on IDS detection.
IncorrectC: Altering the "Source IP" via MAC spoofing and adjusting scan timing/fragmentation (though OpenVAS is generally designed for authorized, unevasive internal scanning)
OpenVAS is primarily designed for authorized internal scanning, not IDS evasion β it is explicitly not a stealth tool. However, some mitigations include: reducing scan speed/concurrency to lower per-second packet rates below IPS thresholds, using TCP fragmentation options, adjusting the scan timing, or coordinating IDS exclusions for the scanner's source IP. True evasion-oriented scanning requires purpose-built tools. Using a different NVT feed has no impact on IDS detection.
13How does GVM correlate a discovered software product to known CVEs without actively exploiting the system?
CorrectC: By using the NVT to extract the software banner/version, mapping it to a CPE string, and querying the local SCAP (Security Content Automation Protocol) database for matching CVEs
GVM's vulnerability correlation pipeline: (1) NVT probes the target and extracts a version banner (e.g., "Apache httpd 2.4.49"); (2) the NVT maps this to a CPE string (cpe:/a:apache:http_server:2.4.49); (3) GVM queries its locally synchronized SCAP database (NVD/CVE data) for all CVEs where the affected CPE matches; (4) matching CVEs are reported with their CVSS scores. This passive, banner-based approach avoids active exploitation while still identifying vulnerability exposure.
IncorrectC: By using the NVT to extract the software banner/version, mapping it to a CPE string, and querying the local SCAP (Security Content Automation Protocol) database for matching CVEs
GVM's vulnerability correlation pipeline: (1) NVT probes the target and extracts a version banner (e.g., "Apache httpd 2.4.49"); (2) the NVT maps this to a CPE string (cpe:/a:apache:http_server:2.4.49); (3) GVM queries its locally synchronized SCAP database (NVD/CVE data) for all CVEs where the affected CPE matches; (4) matching CVEs are reported with their CVSS scores. This passive, banner-based approach avoids active exploitation while still identifying vulnerability exposure.
14What is a significant risk when executing "Denial of Service" family NVTs during a production environment scan?
CorrectC: They actively send malformed packets designed to exhaust resources or crash services, potentially causing actual downtime for the targeted production systems
Denial of Service NVT families (e.g., DoS, Buffer Overflow testers) send intentionally malformed or resource-exhausting packets to determine if a target crashes or becomes unresponsive β confirming a vulnerability is exploitable. In production environments, this can cause real service disruptions, crashes, or require reboots. Best practice: DoS NVT families should only be enabled in dedicated test environments, never against live production systems without explicit, coordinated downtime approval.
IncorrectC: They actively send malformed packets designed to exhaust resources or crash services, potentially causing actual downtime for the targeted production systems
Denial of Service NVT families (e.g., DoS, Buffer Overflow testers) send intentionally malformed or resource-exhausting packets to determine if a target crashes or becomes unresponsive β confirming a vulnerability is exploitable. In production environments, this can cause real service disruptions, crashes, or require reboots. Best practice: DoS NVT families should only be enabled in dedicated test environments, never against live production systems without explicit, coordinated downtime approval.
15Which PostgreSQL tuning parameter is most critical to increase when scaling gvmd to handle a massive database of historical scan reports?
CorrectC: shared_buffers (and work_mem)
shared_buffers (controlling PostgreSQL's data cache size) and work_mem (the per-operation sort/hash memory) are the most impactful PostgreSQL tuning parameters for GVM at scale. Large scan report databases with millions of vulnerability findings benefit significantly from more memory allocated to caching query results and sorting large result sets. The Greenbone documentation recommends shared_buffers = 25% of total RAM and appropriate work_mem scaling for large deployments.
IncorrectC: shared_buffers (and work_mem)
shared_buffers (controlling PostgreSQL's data cache size) and work_mem (the per-operation sort/hash memory) are the most impactful PostgreSQL tuning parameters for GVM at scale. Large scan report databases with millions of vulnerability findings benefit significantly from more memory allocated to caching query results and sorting large result sets. The Greenbone documentation recommends shared_buffers = 25% of total RAM and appropriate work_mem scaling for large deployments.
16In OpenVAS, what is the role of a "Scanner" object created within the GVM interface?
CorrectB: It represents an instance of ospd-openvas (or another OSP-compatible scanner), allowing gvmd to delegate scan tasks to local or remote sensor nodes
A Scanner object in GVM represents a configured scanning engine endpoint β the host, port (or Unix socket), and certificate used to communicate with an ospd-openvas instance or other OSP-compatible scanner. Multiple Scanner objects can be defined in one GVM installation, enabling the Master/Sensor distributed architecture where gvmd delegates scans to different ospd-openvas sensors in different network segments.
IncorrectB: It represents an instance of ospd-openvas (or another OSP-compatible scanner), allowing gvmd to delegate scan tasks to local or remote sensor nodes
A Scanner object in GVM represents a configured scanning engine endpoint β the host, port (or Unix socket), and certificate used to communicate with an ospd-openvas instance or other OSP-compatible scanner. Multiple Scanner objects can be defined in one GVM installation, enabling the Master/Sensor distributed architecture where gvmd delegates scans to different ospd-openvas sensors in different network segments.
17When writing automation scripts using python-gvm, what is the primary connection mechanism used to interact with the gvmd daemon locally?
CorrectC: A local Unix socket (e.g., /run/gvmd/gvmd.sock)
python-gvm (and gvm-cli) connect to gvmd via a Unix domain socket β typically /run/gvmd/gvmd.sock. Unix sockets provide faster, lower-overhead IPC than TCP sockets and are the default for local gvmd communication. For remote access, TCP+TLS is used. The connection is established via UnixSocketConnection() in python-gvm, after which GMP commands are sent as XML to automate scan workflows.
IncorrectC: A local Unix socket (e.g., /run/gvmd/gvmd.sock)
python-gvm (and gvm-cli) connect to gvmd via a Unix domain socket β typically /run/gvmd/gvmd.sock. Unix sockets provide faster, lower-overhead IPC than TCP sockets and are the default for local gvmd communication. For remote access, TCP+TLS is used. The connection is established via UnixSocketConnection() in python-gvm, after which GMP commands are sent as XML to automate scan workflows.
18What is the impact of setting the "Expand LVM" (Logical Volume Manager) option or deep filesystem traversal during an authenticated Linux scan?
CorrectD: It can drastically increase scan duration and I/O load on the target as the scanner aggressively searches every mounted filesystem for vulnerable software binaries
Deep filesystem traversal options instruct the OpenVAS scanner to recursively search mounted filesystems for software binaries and configuration files rather than relying solely on package manager queries. While this can discover vulnerabilities in manually installed or non-packaged software (which package manager-based checks would miss), it generates enormous I/O load on the target and can dramatically extend scan duration β potentially hours on large filesystems. Use only in scheduled maintenance windows.
IncorrectD: It can drastically increase scan duration and I/O load on the target as the scanner aggressively searches every mounted filesystem for vulnerable software binaries
Deep filesystem traversal options instruct the OpenVAS scanner to recursively search mounted filesystems for software binaries and configuration files rather than relying solely on package manager queries. While this can discover vulnerabilities in manually installed or non-packaged software (which package manager-based checks would miss), it generates enormous I/O load on the target and can dramatically extend scan duration β potentially hours on large filesystems. Use only in scheduled maintenance windows.
19If gvmd fails to start and logs indicate a "database version mismatch," what administrative action is required?
CorrectB: The administrator must run the gvmd --migrate command to update the PostgreSQL database schema to match the newly installed GVM version
When upgrading GVM to a new major version, the PostgreSQL database schema often changes (new tables, columns, indexes). gvmd detects a schema version mismatch on startup and refuses to run to prevent data corruption. The correct fix is running "gvmd --migrate" which applies incremental SQL migrations to bring the database schema to the version expected by the new gvmd binary β preserving all existing scan history, tasks, and configurations.
IncorrectB: The administrator must run the gvmd --migrate command to update the PostgreSQL database schema to match the newly installed GVM version
When upgrading GVM to a new major version, the PostgreSQL database schema often changes (new tables, columns, indexes). gvmd detects a schema version mismatch on startup and refuses to run to prevent data corruption. The correct fix is running "gvmd --migrate" which applies incremental SQL migrations to bring the database schema to the version expected by the new gvmd binary β preserving all existing scan history, tasks, and configurations.
20Under the SCAP data model used by OpenVAS, what is OVAL (Open Vulnerability and Assessment Language) used for?
CorrectC: To standardize the process of assessing and reporting upon the machine state of computer systems, enabling automated configuration and compliance checking
OVAL (Open Vulnerability and Assessment Language) is an XML-based international information security community standard for representing system configuration information, assessing machine states against known vulnerability conditions, and reporting results in a standardized format. Within OpenVAS/GVM, OVAL definitions (distributed as part of the SCAP data feed) enable configuration compliance checking and vulnerability detection based on authoritative NIST/MITRE-published machine-state assessment criteria.
IncorrectC: To standardize the process of assessing and reporting upon the machine state of computer systems, enabling automated configuration and compliance checking
OVAL (Open Vulnerability and Assessment Language) is an XML-based international information security community standard for representing system configuration information, assessing machine states against known vulnerability conditions, and reporting results in a standardized format. Within OpenVAS/GVM, OVAL definitions (distributed as part of the SCAP data feed) enable configuration compliance checking and vulnerability detection based on authoritative NIST/MITRE-published machine-state assessment criteria.
Conclusion: Mastering OpenVAS & GVM
These 60 MCQs cover the full depth of OpenVAS and GVM knowledge β from recognizing what an NVT is and how CVSS scores work, through understanding the five-component GVM daemon architecture, to writing custom NASL scripts and automating scan pipelines with python-gvm in production enterprise environments.
The key mental model for OpenVAS architecture is the data flow: gsad (web UI) β gvmd (manager/database) β ospd-openvas (scanner daemon) β Redis (NVT cache) β PostgreSQL (persistent storage). Understanding which component handles which responsibility answers the majority of GVM architecture troubleshooting questions systematically.
After completing this MCQ set, complement your knowledge with the full OpenVAS & GVM theory notes and explore the broader Cybersecurity MCQ library to see vulnerability management concepts applied in firewalls, zero-trust, and penetration testing contexts.
Key Takeaways β OpenVAS & GVM
- OpenVAS forked from Nessus in 2005 when Tenable made it proprietary; Greenbone Networks is the primary developer.
- NVT = Network Vulnerability Test (NASL script testing for a specific CVE/misconfiguration).
- GVM stack: gsad (web UI) β gvmd (manager) β ospd-openvas (scanner) β Redis (NVT cache) β PostgreSQL (storage).
- gvmd is the central brain: manages tasks, users, reports, and exposes the GMP XML API.
- Redis is mandatory for ospd-openvas β if Redis is down, scans will fail.
- Authenticated scan (SSH/SMB credentials) enables Local Security Checks β far deeper than unauthenticated scans.
- QoD = confidence level of detection; default filter is 70% to reduce false positives.
- Community Feed is 30 days delayed vs. commercial Security Feed; lacks enterprise compliance NVTs.
- NASL (Nessus Attack Scripting Language) is used to write NVTs; each requires a unique OID.
- gvm-tools / python-gvm automates GVM via GMP XML API over Unix socket (/run/gvmd/gvmd.sock).
- Air-gapped updates: download feed archives on internet-connected machine β physical transfer β local sync.
- Full and Fast = time-optimized default config; Full and Very Deep = exhaustive, ignores timeouts.
Quick Review & Summary
Use this reference table to consolidate GVM component and concept mappings before or after attempting the questions above.
| Component / Concept | Role / Definition | Key Detail |
|---|---|---|
| gvmd | Central GVM manager daemon | Handles PostgreSQL, GMP API, task orchestration |
| gsad | Web interface daemon | Serves HTTPS GSA UI; communicates to gvmd via socket |
| ospd-openvas | Scanner daemon | Executes NVTs; requires Redis for NVT knowledge base |
| Redis | In-memory NVT cache | Mandatory; ospd-openvas fails without it |
| PostgreSQL | Persistent database | Stores tasks, reports, configs, users |
| NVT | Network Vulnerability Test (NASL script) | Thousands cover CVEs; updated via feed sync |
| GMP | Greenbone Management Protocol | XML API for gvmd automation |
| QoD | Quality of Detection % | Default filter: β₯70%; higher = less false positives |
| CVSS | Vulnerability severity score | 0β10; Critical β₯9.0; High 7.0β8.9 |
| Community Feed | Free Greenbone NVT feed | 30-day delay; no enterprise compliance NVTs |
Frequently Asked Questions
Q. How many OpenVAS / GVM MCQs are available on this page?
Q. What topics do these OpenVAS / GVM MCQs cover?
Q. Are these MCQs suitable for security analyst and certification exam preparation?
Q. What is the difference between OpenVAS and Nessus?
Q. What is the GVM architecture stack?
Q. What is the difference between Study Mode and Exam Mode?
Q. What is QoD (Quality of Detection) and why does it matter in OpenVAS reports?
Struggling with some questions? Re-read the full Theory Guide: OpenVAS & GVM