Automated Debug Scan for PC Internal Scanner

The debug scan provides users with sufficient verbosity logging details to identify any of the issues that occurred during the standard scanning process. This scan affects the target as any standard scan, with additional logs for troubleshooting purposes.

Enabling the users to perform Automated Debug scans, avoids the dependency on the Qualys Customer Support team to change the operational mode of the scanner to Debug. The users can launch the Debug Scan from the Scan Launch Screen with only one IP Address. With this, the scanner is automatically set into Debug Mode, and post the completion of the scan, the scanner automatically revert to the Standard operation mode, and the users can continue with their traditional scanning activity planned during that time.

Note: Debug Scans can run for a longer duration based on the QIDs configured in the Compliance Profile and the selection of the Scanner Debug Modes. This may impact any on-demand or scheduled scans that are planned while the debug scans are in progress.

Enable Debug Scan

The Debug Scan feature needs to be enabled for your subscription. Contact your Technical Account Manager or Qualys Support.

Perform the following steps for the debug scan

  1. Enable debug scan
  2. Launch a debug scan
  3. Post Completion of Debug Scans

Enable Debug Scan 

Once the Debug Scan feature is available in your subscription, enable and save the settings.

  1. Launch the Debug Scan by going to Scans > Setup > Debug Scan.

    launching debug scan from the UI setup.
  2. Select Enable Debug Scan.
  3. Click Save.

    Enabling the debug scan.

After activation, the Debug Scan option is available in the Scan Launch UI. The scan can be initiated only by the Manager User. 

Launch Debug Scan

  1. Go to Policy Compliance > Scans > PC Scans > New > Debug Scan

    Selecting Debug scan from PC Scans.
  2. Provide General Information

    In the Launch Debug Scan window, the first section you see is the General Information section. You can add a Title, Compliance Profile, Network, and much more. Each option is described below.

    Title - Give your scan a title to easily identify it later. 

    Compliance Profile - Select a compliance profile for the scan job. The compliance profile has scan settings like which ports to scan, which QIDs to scan, and whether to use authentication. The option profile designated as default profile for the subscription is recommended. You can use the default or pick another option profile from the list. 

    Note: Limit the Option Profile with the required set of QIDs for the troubleshooting activity, and it is not recommended to perform with complete vulnerability detection.


    Network - (Visible only when the Network Support feature is enabled for your subscription.) Select the network you want to scan. The Global Default Network is selected by default but you can choose a user-created network from the list. 

    Scanner Appliance - Qualys recommends customers initiate the Debug Scans, while the scanner is fully available to ensure that, there is no overlap to scheduled/on-demand scans. After completing the Debug Scans, the Scanner Appliance automatically reverts to normal. 

    Click here to see your Scanner Appliance optionsClick here to see your Scanner Appliance options

    Scanner Debug Modes - You can run the debug scans in different debug modes depending on the amount of logging level required based on the issue for which debug scan is run. There are 3 debug modes available 

    - Default - This is the lowest logging level in the case of debug scans. It can be run for issues such as Host Not Alive, Scan Discontinued, and Insufficient Privileges issues.

    - Standard - This is the middle logging level for debug scans. The scanner logs more events as compared to the default debug level. This is generally used for Web application scanning-related issues.

    - AdvancedThis is the highest level of debug scan that can be run from the UI. This can be run for issues such as authentication, OS fingerprinting issues. 

  3. Choose a Target Host

    In the Launch Debug Scan window, the second section you see is the Choose a Target Host section. You can specify the IP address, IPv6 address, and FQDN(s). Each option is described below.

    Selecting IP, IPv6 address and FQDN.

    IP Address - Enter the IP address for which you need to run the debug scan.

    IPv6 Address - Enter the IPv6 address/range you want to scan. 

    Note: You can scan one IP address at a time.

    FQDN(s) - (Visible only when the DNS Tracking feature is enabled for your subscription.) When this feature is enabled, you can see the FQDNs input field where you can enter a comma-separated list of Fully Qualified Domain Names to scan (e.g.,, Enter up to 4000 characters. Each FQDN must resolve to an IP address in your VM account to successfully scan it and view the results. The Scan Results report shows the FQDN information in the Report Summary section. Click here to learn how to enable this featureClick here to learn how to enable this feature

    To enable this feature, the user with the manager primary contact must navigate to Scans > Setup > DNS Tracking and select Enable DNS Tracking for hosts checkbox.

  4. Enable Scan Notification Email

    (Optional) Select Send notification when this scan is finished if you require an email notification with a custom message to be sent to you and others when this scan is finished.

    Selecting send notification.

    From - Select the email address that should appear in the From line of the email. You can choose the Support email or your own.

    Email To - Tell us who to notify when this scan is finished. You can do this by selecting distribution groups. Click Add Group. Then, in the window that appears, select a group in the list to see details about the group, and click Add to list to add the group to the notification. Learn more about distribution groups

    Subject Line - Enter text that appears in the Subject line of the email. 

    Custom Message - Enter a custom message that appears in the body of the email. 

  5. Click the Launch button

    Once you have provided all the scan information, you're ready to launch the scan. Click Launch and your debug scan will be launched.   

    launching the debug scan.

Note: When the Debug Scan is running, you will not be able to Pause/Resume/relaunch the scans.

Post Completion of Debug Scans

After completing the Debug Scans, the Scanner Appliance automatically reverts to normal.  

The users must manually download the Scan Results in PDF format (for the Debug Scans) and then share it with the Qualys Support team at Qualys Support will leverage backend tooling and reference numbers from the Scan PDF to retrieve, decompress, and de-obfuscate that log file, which could potentially contain sensitive information.