In other words, you do believe what your scanner says. Just because someone decided that something is "critical" doesn't automatically mean it is. If your VM process doesn't have a possibility for flagging a false positive or adjusting the criticality, it's simply a bad process. Every reasonable VM process has vulnerability assessment after the scan phase. If you're jumping straight into remediation, you're simply taking shortcuts and doing checkbox security. Don't take it personally, I'm not saying you are responsible for the process design. It's just that you might or might not see a vulnerability which in reality is not there "fixed". ... View more