OpenVAS
OpenVAS is a full-featured, open-source vulnerability scanner that performs unauthenticated and authenticated testing to identify security vulnerabilities in networks, systems, and applications.[1] It supports a wide range of high-level and low-level internet and industrial protocols, with performance optimizations for large-scale scans and a custom programming language for developing tailored vulnerability tests.[1] The scanner relies on the Greenbone Community Feed, a continuously updated collection of more than 100,000 vulnerability tests (VTs) that receives daily enhancements to detect emerging threats.[2][3] The project originated in 2005 as a community-driven fork of the Nessus vulnerability scanner, following Nessus's shift from open-source to a proprietary model under Tenable Network Security.[3] It was founded by Intevation GmbH and DN-Systems GmbH (which later became Greenbone AG), with initial support from the German Federal Office for Information Security (BSI) to ensure a free alternative for vulnerability assessment.[3] In 2008, Greenbone AG was established to expand OpenVAS into a complete vulnerability management solution, leading to key milestones such as the release of OpenVAS 9 in 2017 and its rebranding to Greenbone Vulnerability Management (GVM), though the core scanner retained the OpenVAS name; in 2025, the overall solution was rebranded back to OpenVAS.[3][4] OpenVAS's architecture comprises three primary components: the OpenVAS Scanner, which executes VTs using the Open Scanner Protocol (OSP); the Greenbone Vulnerability Management Daemon (gvmd), a central service that orchestrates scans, manages user permissions, and stores results in a PostgreSQL database; and the Greenbone Security Assistant (GSA), a web interface for configuring and reviewing scans.[3] Recent enhancements include the Notus Scanner, introduced in the Greenbone Community Edition 22.4 (2022), which improves efficiency by analyzing installed software against vulnerability databases without relying solely on NASL scripts.[3] Licensed under the GNU General Public License version 2.0 (GPL-2.0), OpenVAS is freely available as part of the Greenbone Community Edition and integrates with additional open-source modules for enterprise-grade security assessments.[5][1]Introduction
Definition and Purpose
OpenVAS is a full-featured, open-source vulnerability scanner designed to perform automated network vulnerability tests (NVTs) for detecting security weaknesses in IT systems.[1] It executes a comprehensive set of tests to identify issues such as misconfigurations, outdated software versions, and weak authentication mechanisms across various protocols and environments.[6] As the core scanning engine, OpenVAS supports both unauthenticated and authenticated testing modes to uncover vulnerabilities that may not be visible externally.[1] In the context of cybersecurity, OpenVAS enables organizations to systematically assess and manage vulnerabilities within their IT infrastructure, encompassing hosts, services, and applications.[6] This facilitates proactive vulnerability management workflows by automating the detection and prioritization of risks, allowing security teams to address potential threats before exploitation.[7] Originally forked from Nessus, it integrates seamlessly into broader security practices to enhance overall network resilience.[5] OpenVAS serves as the primary scanner component within the Greenbone Vulnerability Management (GVM) framework, which comprises multiple open-source modules for comprehensive vulnerability handling.[5] It relies on a continuously updated feed of NVTs to ensure timely detection of emerging threats.[1] Upon completing scans, OpenVAS generates detailed reports outlining identified risks, including severity ratings based on the Common Vulnerability Scoring System (CVSS) scores ranging from 0.0 to 10.0, to aid in remediation prioritization.[6]Development and Licensing
OpenVAS is primarily developed and maintained by Greenbone AG, a company specializing in vulnerability management solutions, with significant contributions from the open-source community through platforms like GitHub.[3][1] The software is released under the GNU General Public License (GPL) version 2.0, which permits free distribution, modification, and use, thereby fostering community-driven enhancements and ensuring its accessibility as an open-source tool.[5] This licensing model aligns with the project's ethos of collaborative development, allowing users and contributors to adapt and extend its functionality without proprietary restrictions. The latest stable release, version 23.31.3, was issued on November 14, 2025, incorporating updates to improve overall performance and compatibility within the ecosystem.[8] OpenVAS is maintained as a core component of the Greenbone Vulnerability Management (GVM) framework, with development involving regular synchronization to vulnerability databases such as the Common Vulnerabilities and Exposures (CVE) list to keep vulnerability tests current.[3] This model supports continuous integration of new threat intelligence, ensuring the scanner remains effective against evolving security risks.Historical Development
Origins from Nessus
Nessus, originally developed by Renaud Deraison in 1998, emerged as a widely used open-source vulnerability scanner that employed the Nessus Attack Scripting Language (NASL) for defining and executing vulnerability tests.[9] In October 2005, Tenable Network Security, the company behind Nessus, announced a shift from its open-source GPL licensing to a proprietary model starting with version 3, restricting further community contributions and access to the source code.[3] This decision prompted the vulnerability scanning community to seek alternatives to maintain an open-source option for network security assessments.[9] The initial fork of Nessus that led to OpenVAS was initiated shortly after the announcement, under the temporary name GNessUs, by security researcher Tim Brown in collaboration with SecuritySpace.[9] Based on the last open-source release of Nessus version 2.2.5, the project launched on October 10, 2005, and gained rapid visibility through an announcement on Slashdot, fostering an initial community of contributors.[9] By late 2005, the project was rebranded as OpenVAS (Open Vulnerability Assessment System) to emphasize its focus on open-source continuity and was formally recognized as an associated project of Software in the Public Interest (SPI), a non-profit organization dedicated to supporting free software initiatives.[10] Sustainable development of OpenVAS from 2006 was driven by Intevation GmbH and DN-Systems GmbH (later Greenbone AG), with initial support from the German Federal Office for Information Security (BSI).[3] The primary goals of the OpenVAS fork were to preserve the core functionality of Nessus, particularly the NASL scripting language for creating and running vulnerability detection scripts, while ensuring full compliance with the GNU General Public License (GPL) to enable ongoing community-driven development.[3] This approach allowed OpenVAS to inherit Nessus's extensive library of NASL-based tests without proprietary restrictions, positioning it as a direct successor for users reliant on customizable, scriptable scanning tools.[11] Early adoption of OpenVAS was bolstered by its governance under SPI, which provided non-profit oversight, DNS hosting, and administrative support through recognized decision-makers including Tim Brown, Sean Baumann, and Robert Berkowitz.[10] This structure ensured transparent, consensus-based management from the outset, attracting initial contributions from developers and integrating OpenVAS into distributions like Debian by 2009 as a replacement for the discontinued open-source Nessus.[12]Evolution and Milestones
OpenVAS's evolution began shortly after its inception as a fork of Nessus in 2005, with the project officially rebranded and launching its first stable release, version 1.0, in July 2008. This initial version established OpenVAS as a standalone vulnerability scanner, incorporating core scanning functionalities and laying the groundwork for modular expansions. By introducing a web interface and management services in 2009, the tool transitioned toward a more integrated vulnerability management system, enabling centralized control and reporting.[13][3] A pivotal advancement occurred around 2010 when OpenVAS integrated into the Greenbone framework, evolving from a standalone scanner to the core component of Greenbone Vulnerability Management (GVM). This shift added layered management capabilities, including enhanced authentication and policy enforcement, while the launch of the first Greenbone Security Manager appliances in 2010 commercialized the open-source foundation without altering its GPL licensing. Concurrently, the introduction of daily Network Vulnerability Test (NVT) feeds in 2008 ensured timely updates to vulnerability signatures, allowing OpenVAS to adapt rapidly to emerging threats through automated synchronization mechanisms. To address evolving threats like cloud and container environments, support for scanning Docker containers and cloud infrastructures was added in the mid-2010s, exemplified by early Docker-based scanning clusters in 2015 that improved scalability for distributed systems.[3][14] Major performance milestones marked the 2010s and beyond, including the release of OpenVAS 9 in 2017, followed by the rebranding to and release of GVM 10 in 2019, which introduced semantic versioning for feeds and optimized the scanner for larger networks. In 2022, the Notus Scanner was integrated to enhance software vulnerability detection, focusing on package-level assessments without full system scans. By 2024, the openvasd daemon—implemented in Rust—replaced parts of the Notus Scanner, delivering improved scalability and security through better resource management and direct scanner interactions. As of October 2024, the community feed contained over 160,000 NVTs; in July 2025, Greenbone announced a branding clarification emphasizing OpenVAS as the name for its proven open-source security scanner within the broader Greenbone ecosystem.[3][15][16][17][4]Technical Architecture
Core Components
OpenVAS, as part of the Greenbone Vulnerability Management (GVM) framework, relies on a modular architecture composed of several key software components that work together to perform vulnerability scanning and management. The primary building blocks include the OpenVAS Scanner, the Greenbone Vulnerability Management Daemon (gvmd), and the Greenbone Security Assistant (GSA), supported by essential libraries and synchronization tools. These components communicate via standardized protocols to ensure efficient operation across distributed environments.[18][3] The OpenVAS Scanner (openvasd) serves as the core daemon responsible for executing Network Vulnerability Tests (NVTs) against target networks. It handles authentication mechanisms, collects scan data from remote hosts, and performs local security checks to identify potential vulnerabilities. The scanner is implemented through theospd-openvas wrapper and the openvas-scanner engine, which are controlled remotely using the Open Scanner Protocol (OSP). As of Greenbone OS 24.10, it uses openvasd for local checks, replacing the earlier Notus Scanner.[15] This modular design allows the scanner to operate independently while integrating seamlessly with other GVM elements.[5][18]
The Greenbone Vulnerability Management Daemon (gvmd) acts as the central orchestrator, managing the overall scanning workflow, user permissions, and result storage. It schedules and initiates scans by communicating with the OpenVAS Scanner via OSP, processes incoming data, and persists results in a PostgreSQL database for querying and analysis. gvmd exposes its functionality through the Greenbone Management Protocol (GMP), an XML-based interface that enables programmatic control and integration with external systems. This component ensures secure, role-based access and maintains the integrity of vulnerability data across sessions.[18][3]
The Greenbone Security Assistant (GSA) provides a browser-based web interface for users to configure scans, monitor progress, and visualize results. Built with HTML5 and JavaScript, it runs via the Greenbone Security Assistant Daemon (gsad), which interacts with gvmd using GMP to translate user inputs into backend operations. This frontend simplifies task creation, credential management, and report generation without requiring direct command-line access.[19][18]
Supporting these core elements are foundational libraries and tools, such as GVM-libs, a C library that handles essential functions like XML parsing, network communication, and protocol implementation for components including the scanner, gvmd, and gsad. Additionally, the greenbone-feed-sync utility facilitates the synchronization of vulnerability feeds, ensuring that NVTs and related data remain current by downloading updates from Greenbone's servers. These libraries enable interoperability and extensibility across the GVM ecosystem.[20][21]
In terms of interaction flow, the architecture follows a pipeline where user requests originate from the GSA web interface, which relays commands to gvmd via GMP for authentication and task orchestration. gvmd then directs the OpenVAS Scanner to perform the actual network probes using OSP, retrieving results back through the same protocol for storage and processing. This layered communication—web frontend to manager to scanner—allows for scalable, asynchronous operations while isolating concerns for maintainability and security.[18][3]
Feed Management and NVTs
The Network Vulnerability Tests (NVTs) form the core of OpenVAS's vulnerability detection capabilities, consisting of a vast library of scripts written in the Nessus Attack Scripting Language (NASL).[22] These scripts perform targeted checks for known vulnerabilities, misconfigurations, and security weaknesses across networks, systems, and applications, covering Common Vulnerabilities and Exposures (CVEs), Common Configuration Enumeration (CCE) items, and custom tests developed by the community and Greenbone.[6] As of late 2024, the OpenVAS feed includes over 140,000 NVTs, enabling comprehensive scanning for a wide range of threats without requiring authenticated access in many cases.[17] The feed system in OpenVAS relies on the Greenbone Community Feed (GCF), which delivers automated daily updates of vulnerability intelligence to keep the scanner current with emerging threats.[23] This feed incorporates Security Content Automation Protocol (SCAP) data, including detailed CVE descriptions and Common Platform Enumeration (CPE) for software identification.[23] Additionally, it integrates CERT data from sources like DFN-CERT and CERT-Bund to address rapidly evolving threats, such as zero-day exploits and advisories from national cybersecurity centers.[23] These updates ensure that OpenVAS remains effective against the latest vulnerabilities without manual intervention beyond initial setup. Feed management is handled through thegreenbone-feed-sync tool, a flexible script that pulls updates via rsync from official Greenbone repositories and verifies their integrity before integration.[21] Administrators typically run this tool via command line (e.g., [sudo](/page/Sudo) greenbone-feed-sync --type all) to download NVTs, SCAP, CERT, and other data feeds, with the process supporting selective synchronization for specific components like --type nvt for vulnerability tests only.[21] Once downloaded, the feeds are loaded into the local PostgreSQL database managed by the Greenbone Vulnerability Manager (GVM) daemons, enabling offline operation and reducing dependency on real-time internet access during scans.[23] This synchronization occurs automatically upon daemon startup, but manual runs are recommended daily or via cron jobs to maintain freshness, with initial full syncs potentially taking hours depending on the system's resources.[23]
Each NVT follows a structured format in NASL, featuring a unique Object Identifier (OID) under the namespace 1.3.6.1.4.1.25623.1.0 for unambiguous referencing within the scanner.[24] Dependencies are declared to specify prerequisite scripts or knowledge base items required for execution, ensuring efficient sequencing during scans and avoiding redundant checks.[25] Solution preferences within the script define handling options for detected issues, such as recommended patches or configuration changes, allowing users to prioritize remediation based on severity and context.[25] NASL's scripting capabilities support custom extensions, permitting users to author new tests for proprietary environments or unaddressed vulnerabilities by leveraging its syntax for protocol interactions, pattern matching, and report generation, all while adhering to the feed's modular design.[26]
Features
Scanning Capabilities
OpenVAS primarily employs active scanning techniques through its Network Vulnerability Tests (NVTs), which are implemented as scripts written in the Nessus Attack Scripting Language (NASL). These plugins enable port enumeration to identify open services, service identification to determine software versions and configurations, and simulated exploit attempts to assess potential vulnerabilities without causing harm.[27] The scanner covers a broad spectrum of vulnerability types, including issues in network services like SMB for file sharing weaknesses and HTTP for web server misconfigurations. It detects software flaws, such as unpatched operating systems by checking version details against known CVE databases, and misconfigurations like weak SSL/TLS implementations that expose data in transit. Additionally, OpenVAS identifies web application vulnerabilities, exemplified by SQL injection risks in database-driven sites, through targeted NASL scripts that probe for input validation failures.[27][28] Performance is enhanced by distributed scanning support, allowing multiple scanner instances to operate in a master-slave architecture for load balancing across large networks. OpenVAS offers both credentialed and non-credentialed modes: credentialed scans provide deeper insights via authenticated access (e.g., SSH or SMB logins) to inspect internal system states, while non-credentialed modes rely on external probes for unauthenticated testing. It also facilitates compliance checks aligned with standards like PCI-DSS for payment card environments and HIPAA for healthcare data protection, using predefined policy audits to verify regulatory adherence.[27][29][14] Despite these strengths, OpenVAS has limitations, including a potential for false positives in complex environments where ambiguous responses lead to misidentified risks, necessitating manual verification. As a batch-oriented tool, it conducts scans on scheduled or manual triggers rather than providing real-time monitoring, which may delay detection in dynamic settings.[30][27]Reporting and Analysis Tools
OpenVAS produces scan results in a native XML format that serves as the foundation for comprehensive reporting, enabling users to generate detailed outputs convertible to user-friendly formats such as PDF, HTML, and CSV. These reports encapsulate vulnerability findings with associated severity classifications ranging from Low to High, determined using CVSS v3.1 scoring, where Low corresponds to scores of 0.1–3.9, Medium to 4.0–6.9, and High to 7.0–10.0.[31][32] This structure allows for the inclusion of vulnerability details, affected hosts, and remediation recommendations, facilitating clear communication of risks to stakeholders. For analysis, OpenVAS integrates built-in dashboards within the Greenbone Security Assistant (GSA) interface, providing interactive visualization of results. Users can filter scan data by criteria such as host, specific vulnerability, or severity level, enabling targeted reviews of security posture. Additionally, trend tracking is supported through delta reports that compare findings across multiple scans, highlighting new, resolved, or unchanged vulnerabilities to monitor remediation progress over time.[31] Export capabilities in OpenVAS extend to API-driven integrations via the Greenbone Management Protocol (GMP), allowing automated retrieval and transfer of report data to external systems like SIEM platforms, including the ELK Stack, for centralized logging and alerting. Support for custom report templates further enhances flexibility, permitting organizations to tailor outputs with specific sections, branding, or data emphases without altering core XML structures.[33][34] Risk prioritization within OpenVAS relies on established metrics such as CVSS base scores to quantify threat levels. These elements guide users in focusing efforts on high-impact vulnerabilities by providing contextual severity without performing on-the-fly score calculations, ensuring efficient resource allocation in vulnerability management workflows.[31][35]Deployment and Usage
Installation Procedures
As of May 2025, the latest version of Greenbone Community Edition is 25.5.0. Installation procedures may evolve; always consult the official documentation at https://greenbone.github.io/docs/latest/ for the most current instructions.[36] OpenVAS, as part of the Greenbone Vulnerability Manager (GVM), is primarily supported on Linux distributions such as Kali Linux, Ubuntu, Debian, and CentOS, with installation options via package managers, source compilation, or containerization using Docker and Kubernetes.[37][38] Package manager installations are available natively on Kali Linux, while source builds are recommended for Debian, Ubuntu, and CentOS to ensure compatibility. Source builds now require Ubuntu 24.04 LTS to resolve compilation issues with gvm-libs.[39][37] Containerized deployments provide platform-agnostic setup on any system supporting Docker, including the listed Linux distributions.[38] Installation requires meeting hardware and software prerequisites to handle vulnerability feed processing and scanning operations. Minimum hardware specifications include 2 CPU cores, 4 GB RAM, and 20 GB disk space, though 4 cores, 8 GB RAM, and 60 GB disk are recommended for production use.[37][38] Software prerequisites encompass a compatible Linux kernel, PostgreSQL for database management, Redis for caching, and network access to download vulnerability feeds from Greenbone's community servers. For source builds, ensure Rust and Cargo are up-to-date usingrustup update stable. The lcov development dependency has been dropped in recent versions.[37][39] Users should create a dedicated non-root user (e.g., 'gvm') with sudo privileges and ensure the system is updated before proceeding.[37]
For package manager installation on Kali Linux, begin by updating the system with sudo apt update && sudo apt upgrade, then install the GVM suite using sudo apt install gvm -y.[39] Next, run the initial setup script sudo gvm-setup to configure the PostgreSQL database, create an admin user, and download initial feeds; note the generated admin password from the output.[39] Verify the installation with sudo gvm-check-setup, which should confirm "GVM installation is OK" if all components are properly set up.[39] Start the services using sudo gvm-start and access the Greenbone Security Assistant (GSA) web interface at https://127.0.0.1:9392 using the admin credentials.[39]
Source-based installation on Debian (bookworm), Ubuntu 24.04 LTS, or CentOS 9 Stream involves compiling components in a specific order: gvm-libs (v22.22.0), gvmd (v26.0.0), pg-gvm (v22.6.9), gsad (v24.3.0), GSA (v25.0.0), openvas-smb, openvas-scanner, ospd-openvas, and gvm-tools.[37] First, install build dependencies with sudo apt install build-essential cmake pkg-config python3 python3-pip gnupg postgresql (adapt for dnf on CentOS), create the gvm user with sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm, and set environment variables like export INSTALL_PREFIX=/usr/local.[37] Download and verify source tarballs from GitHub (e.g., curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v22.22.0.tar.gz -o gvm-libs.tar.gz and GPG check), then for each component, extract, build with cmake -S <source> -B <build> -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX followed by cmake --build <build> -j$(nproc), and install with sudo make install.[37] Post-build, initialize the database with sudo -u postgres createuser -DRS gvm and createdb -O gvm gvmd, create an admin user via gvmd --create-user=admin, set the feed owner, and sync feeds using sudo greenbone-feed-sync.[37] Enable and start services like sudo systemctl enable --now ospd-openvas gvmd gsad and verify status with sudo systemctl status <service>. Access GSA at https://127.0.0.1:9392.[](https://greenbone.github.io/docs/latest/source-build/index.html)
Containerized installation using Docker is suitable for all supported Linux platforms and simplifies dependency management by pulling pre-built images.[38] Install Docker with sudo apt install docker-ce docker-ce-cli containerd.[io](/page/.io) docker-compose-plugin after setting up the official repository, add the user to the docker group with sudo usermod -aG docker $USER, and download the compose file via [curl](/page/CURL) -f -O https://greenbone.[github](/page/GitHub).[io](/page/.io)/docs/latest/_static/docker-compose.yml. Before starting, update the docker-compose.yml if necessary for the latest version.[38] Pull images and start containers with docker compose up -d, set the admin password using docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<password>', and monitor logs via docker compose logs -f.[38] Feeds are synced automatically in volumes like vt_data_vol, with PostgreSQL data persisted in psql_data_vol; access GSA at http://127.0.0.1:9392.[](https://greenbone.github.io/docs/latest/container/index.html) For Kubernetes, adapt the Docker Compose setup using official images from the Greenbone registry.[38]
Post-installation verification across methods includes checking feed status in the GSA Administration menu to ensure synchronization of Network Vulnerability Tests (NVTs) and other data, which requires outbound internet access to Greenbone's servers.[39][37] If issues arise, such as database connectivity, review service logs and ensure Redis and PostgreSQL are running.[37]
Performing Scans
Performing scans with OpenVAS, part of the Greenbone Vulnerability Management (GVM) framework, involves configuring and executing tasks through the Greenbone Security Assistant (GSA) web interface or command-line tools. Note that as of 2025, the interface follows the design introduced in GOS 24.10, with a vertical left-side navigation menu. A scan task defines the scope, method, and timing of vulnerability assessments on target systems.[40] To configure a scan, users create tasks in GSA under the Scans > Tasks section, either using the simple Task Wizard for basic setups or the Advanced Task Wizard for detailed options. Targets are specified as individual hosts, IP addresses, or ranges in CIDR notation (e.g., 192.168.1.0/24), with support for up to 4,096 IPs in community editions and exclusions for sensitive systems. Scan policies, known as configurations, are selected from predefined options like "Full and fast" for balanced coverage or customized by enabling/disabling Network Vulnerability Tests (NVTs) under Configuration > Scan Configs. Schedules can be set for one-time, daily, weekly, or custom recurrences via the task's scheduling options, ensuring automated assessments. For authenticated scans, credentials such as SSH keys, SMB passwords, or SNMP community strings are configured under Configuration > Credentials and associated with targets to enable deeper system inspections.[40][41][42] Execution begins by initiating the task in GSA with the start icon or via the gvm-cli tool for automation. With gvm-cli, users first create a target and task using XML commands (e.g.,<create_task><name>Scan Target</name><target id="target_uuid"/><config id="config_uuid"/></create_task>), then start it with <start_task task_id="task_uuid"/>. Progress is monitored in GSA's Tasks view, showing status (e.g., "Running," "Done") and percentage completion, or queried via gvm-cli with <get_tasks task_id="task_uuid"/>. Interruptions, such as manual stops or resource limits, allow tasks to be paused and resumed, continuing from unfinished hosts without restarting the entire scan. Upon completion, reports can be viewed briefly in GSA for initial analysis.[43][44][43]
Best practices emphasize starting with lightweight discovery scans, such as the "Host Discovery" configuration, to map active hosts before full vulnerability assessments, reducing unnecessary load. For large networks, divide targets into smaller groups and use random host ordering to improve progress tracking and even resource distribution. Performance tuning involves adjusting scanner preferences like maximum concurrent NVTs (e.g., via "Max NVTs" in scan configs) and system load limits (e.g., "Max scan system load" set to 50% of available CPU) to prevent overload, with defaults often sufficient for small to medium environments.[45][46][47]
Common troubleshooting addresses feed synchronization issues, which can halt scans due to outdated NVTs; verify sync status with greenbone-feed-sync --type all and check logs in /var/log/gvm/gvmd.log for errors like hash mismatches, then rebuild data with gvmd --rebuild-gvmd-data=all. High resource usage during scans, often indicated by elevated CPU or RAM in Administration > Performance, is mitigated by limiting concurrent hosts (e.g., "Max hosts" to 10-20) and monitoring swap usage to stay below 10%.[48][46]