Scanning - The Basics (for PC Scans)

Good to Know

What to Scan

How to Scan

Which Scanner to Use


Recommendation for your first scan

We recommend you start small, maybe one or two IPs. Review the results, fix the compliance issues found, and re-scan the IPs to verify your fixes. Once you have this process down you'll feel more comfortable scanning larger sets of IPs.

What you can scan

The simple answer to what to scan is this: pretty much anything that’s connected to your organization’s network.  Here’s a list: all routers, switches, hubs, firewalls, servers (all common operating systems), workstations, databases, desktop computers, printers, and wireless access devices.

How often you should scan

It's best practice to run frequent compliance scans. As applications are added and operating systems are updated, you'll want to continuously monitor your systems for compliance. You can even set up continuous scanning - after one scan finishes we'll start another one for you. Learn more

Scan complete email notifications

You can choose to be notified via email each time a scan completes. The email gives you a summary of the results and a secure link to the saved report. Select User Profile below your user name, in the Options section and select Scan Complete Notification. You'll notice additional email notifications you can opt in to.

How do I identify hosts to scan?

Go to PC > Assets > Host Assets to see the IPs you can scan for compliance. If the IPs you want to scan are not listed, add them (or have your manager add them and assign them to you).

Can I exclude hosts from the scan?

Yes. Simply enter the IP addresses you want to exclude into the Exclude IPs/Ranges field. Optionally, go to Scans > Setup > Excluded Hosts to create a list of IPs that you want to exclude from all scans launched by all users.

Remove compliance scan data on dead hosts

Remove dead hosts

This option profile setting option allows you to remove compliance scan data for hosts that are not found alive. A dead host is unreachable—it didn't respond to any of our pings. Typically, you would want to avoid reporting dead hosts, which can inflate your compliance detection data.

Configure this option in your Compliance Profile to set a number of Policy Compliance scans, after which the data should be removed. When configured, we remove compliance scan data associated with dead hosts after a set number of scans. This helps to get the compliance report only on the active/ live hosts.

Note: The valid range to set a number of Policy Compliance scans after which the data should be removed is 1 to 99.

Can I scan my IPv6 addresses?

Yes. You'll need to have IPv6 Scanning enabled - please contact Support or your Technical Account Manager. There is a couple configuration steps you'll need to complete to get started. Learn more

Can I scan on FQDNs?

Yes. When launching and scheduling compliance scans enter one or more FQDNs when defining the target hosts. FQDNs can be entered in combination with asset groups and IPs/ranges but not with asset tags. The scanned FQDN must resolve to an IP address in your PC account to successfully scan it and view the results. Not seeing the FQDN option? Make sure DNS Tracking is enabled.

Note - Currently,  vulnerability and compliance scans are not visible to the sub-user when scans launched on FQDN by sub-user itself or by the Manager.

Will the scan impact my hosts?

Our security service ensures the impact on your target hosts and network traffic is minimal. How do we do this?

- If we detect performance deteriorates on a target host or network during a scan, we'll adapt dynamically and reduce the scan speed.

- We run vulnerability checks appropriate to the machine being scanned (for example no test specific to Windows operating systems will be run against a Linux machine).

- Our service allows for variable bandwidth load (low, normal, high or custom) for the machines being scanned. We monitor the response (through RTT, response-time tests) and adjust the load according to your setting. You can configure this scan performance setting within your option profile.

What are asset groups?

Asset groups are user-defined groupings of host assets (IP addresses). You can group hosts by importance, priority, location, ownership, or any other method that makes sense for your organization. When you scan an asset group, only the hosts in the group are scanned. This allows you to limit the scope of your scans to a particular group of hosts or a subsection of your network, making the scan results and remediation tasks more manageable. Learn more

What are asset tags?

Asset tagging is another method for organizing and tracking the assets in your account. You can assign tags to your host assets. Then when launching scans you can select tags associated with the hosts you want to scan. This dynamic approach is a great way to ensure you include all hosts that match certain criteria, even if your network is constantly changing as hosts are added and removed. For example, scan all Windows XP hosts or all hosts with Port 80 open. There are multiple ways to create tags, for example you can create tags from asset search (go to Assets > Asset Search) or by using the AssetView application. Learn more

Which option profile should I use?

The option profile you choose determines the depth of the scan. If you're not sure which options to use, start with the default profile. We provide "Initial PC Options" to get you started. This profile has the most common settings and should meet most of your needs.

By creating your own profile, you can fine tune settings like ports to scan and limit scanning to a specific policy. Think about creating a few option profiles for the different types of scans you want to perform.

How can I customize my scan?

You customize your scan by changing the scan settings in the option profile. You can fine tune settings by restricting the scan to controls in a specific policy and choosing which ports to scan. Think about creating a few option profiles for the different types of scans you want to perform. The following settings can be tweaked to meet your specific needs: File Integrity Monitoring, Password Auditing, Windows Share Enumeration, packet options, performance settings and more.

Why should I use authentication?

Authentication is required for compliance scans. Using host authentication allows our service to log in to each target system during scanning. For this reason we can perform in depth security assessment and get better visibility into each system's security posture. Running authenticated scans gives you the most accurate results with fewer false positives. Learn more

Are you scanning internally or externally

In other words, are you scanning IPs on your network perimeter (external) or inside your corporate network (internal)?

External scanning is always available using our cloud scanners set up around the globe at our Security Operations Centers (SOCs). For this option, choose External from the Scanner Appliance menu.

Internal scanning uses a scanner appliance placed inside your network. Select the scanner appliance you want to use by name. If you don't already have one, you can quickly download a virtual scanner by going to Scans > Appliances. From there, go to Help > Online Help to learn more.

Options when scanning asset groups

If you're doing internal scanning on asset groups, you can choose a scanner appliance by name or select one of these options:

Default. Select this option to use the default scanner in each asset group. When the target includes multiple asset groups, the service distributes the scan task to the various scanners (scanner appliances and/or external scanners) and compiles a single report with scan results. Edit an asset group to assign the default scanner for the group.

All Scanners in Asset Group. Select this option to distribute the scan task to a pool of scanner appliances in each asset group. The scan task is distributed to the top five appliances listed in the group and compiles a single report with scan results. Tip: Before you use this feature, it's best practice to view your target asset groups to see which appliances are in the top five slots for the group and make any necessary changes. Learn more

Do I need to add Qualys scanners to my allow list?

Yes, scanners must be able to reach the target hosts being scanned. Go to Help > About to see the IP addresses for external scanners that you'll need to add to your allow list. You'll also see a list of URLs that your scanner appliances must be able to contact for internal scanning.

Scanning through a firewall - avoid scanning from the inside out

Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target located on the other side of the firewall. Learn more

Don't see the scanner appliance option

You will only see the Scanner Appliance option if you have scanner appliances in your account. If this option does not appear, your scans will use external scanners automatically.

How do I get a scanner appliance?

Contact Support or your Technical Account Manager to: 1) have a physical scanner appliance shipped to you, or 2) have the Virtual Scanner option enabled for your subscription. With the Virtual Scanner option, you'll be able to download a virtual scanner image and configure your scanner in a few easy steps.

Auto cancellation of scan

A scan is automatically canceled after 4 hours if it remains in queued status due to platform issues.