nerdexam
EC-Council

312-50V11 · Question #1036

Mr. Omkar performed tool-based vulnerability assessment and found two vulnerabilities. During analysis, he found that these issues are not true vulnerabilities. What will you call these issues?

The correct answer is A. False positives. When a vulnerability scanner flags issues that are investigated and confirmed to pose no actual risk, those findings are classified as false positives.

Vulnerability Analysis

Question

Mr. Omkar performed tool-based vulnerability assessment and found two vulnerabilities. During analysis, he found that these issues are not true vulnerabilities. What will you call these issues?

Options

  • AFalse positives
  • BTrue negatives
  • CTrue positives
  • DFalse negatives

How the community answered

(49 responses)
  • A
    90% (44)
  • B
    2% (1)
  • C
    6% (3)
  • D
    2% (1)

Why each option

When a vulnerability scanner flags issues that are investigated and confirmed to pose no actual risk, those findings are classified as false positives.

AFalse positivesCorrect

A false positive occurs when an automated security tool reports a condition as a vulnerability but manual analysis confirms it is a benign behavior or misconfiguration that presents no real risk. This is a well-known limitation of tool-based vulnerability assessments, where broad detection signatures trigger on legitimate system activity, requiring a human analyst to distinguish genuine threats from incorrect alerts.

BTrue negatives

True negatives describe cases where the tool correctly identifies something as not a vulnerability and raises no alert, meaning the result is accurate and no false finding is involved.

CTrue positives

True positives are vulnerabilities correctly flagged by the tool and confirmed through analysis to be genuine security issues that require remediation.

DFalse negatives

False negatives occur when a real vulnerability exists in the system but the tool fails to detect and report it, representing a missed finding rather than an incorrectly flagged non-issue.

Concept tested: Vulnerability assessment result classification - false positives

Source: https://csrc.nist.gov/glossary/term/false_positive

Topics

#false positives#vulnerability assessment#scan accuracy#tool-based scanning

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice