Nathan operates a vulnerability scan using up-to-date definitions for a system that has a vulnerability in the version of running Apache. The vulnerability scan does not show that issue when he reviews the report. What has Nathan detected?

A false negative occurs with a vulnerability scanning system when a scan is run and an existing issue is not identified. This can be because of a configuration option, a firewall, or other security settings or because the vulnerability scanner is otherwise unable to detect the issue. A missing vulnerability update might be a concern if the problem did not specifically state that the definitions are fully up-to-date. Unless the vulnerability is so new that there is no definition, a missing update shouldn’t be the issue. Silent patching refers to a patching technique that does not show messages that a patch is occurring to users. A false positive would have caused a vulnerability to show that was not actually there. This sometimes happens when a patch or fix is installed but the application does not change in a way that shows the change.