Option Profile Title Tab Scan Tab Map Tab System Authentication Tab Additional Tab 

VM Option Profile: Scan

The Scan tab is where you'll make scan settings like which ports to scan, which QIDs to scan, whether to include authentication, scan performance settings, and more.

Jump to a section below: 

Ports

Authentication

Scan Dead Hosts

Test Authentication

Close Vulnerabilities on Dead Hosts

Additional Certificate Detection

Purge old host data when OS is changed

Dissolvable Agent

Performance

Lite OS Scan

Load Balancer Detection

Add a Custom HTTP Header value

Password Brute Forcing

Host-Alive Testing

Maximum Scan Duration per Asset

Do not overwrite OS

Vulnerability Detection

Perform Partial SSL/TLS Auditing

 


Ports

TCP Ports

We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We scan the standard list of TCP ports unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan by selecting Additional and entering ports in the field provided. We have about 2,800 standard TCP ports and additional TCP ports up to 20,500.

The following image illustrates the list of all 2,800 Standard TCP Ports. 

Total 2800 Standard TCP ports.

Perform 3-way Handshake

When enabled, the scanning engine performs a 3-way handshake with target hosts. After a connection between the service and the target host is established, the connection will be closed. This option should be enabled only if you have a configuration that does not allow an SYN packet to be followed by an RST packet. Also, when this is enabled, TCP based OS detection is not performed on target hosts. Without TCP based OS detection, the service may not be able to identify the operating system installed on target hosts and perform OS-specific vulnerability checks.

UDP Ports

We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of UDP ports unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan by selecting Additional and entering ports in the field provided. 

Full UDP port scan may not be feasible

When you choose to do a Full UDP port scan, we'll first determine if this is feasible for your target hosts. For hosts behind a firewall configured to block or drop most UDP packets and for hosts that have a limit on the transmission rate of ICMP Port Unreachable packets (e.g., one ICMP packet per second), full UDP port scanning time will be significantly increased. In these cases, we'll automatically perform a standard scan on the default UDP ports instead of a full scan.

Why do I see traffic on ports that are not in my list of ports to scan?

You'll see traffic if the port is being scanned but you may also see traffic for other reasons, such as OS detection, router/firewall detection, path analysis, port mapping analysis, etc. In these cases we may send data to a port without actually scanning it. The list of "ports to scan" only controls scan traffic, not other types of traffic. In many situations we have a need to access a port for reasons that have nothing to do with scanning the port. Ports that do not appear in the list of ports to scan may still receive network traffic during a scan, but that does not mean that they are being scanned.

Authoritative Option for light scans 

When enabled, the results from light port scans and scans on customized port lists affect the status for all vulnerabilities on target hosts, not just those detected on the scanned ports. Learn more

Other Port Options

Select ports for host discovery (affects scans and maps) on the Additional tab in the option profile. Learn more

Select ports for basic information gathering (affects maps) on the Map tab in the option profile. Learn more


Scan Dead Hosts 

A dead host is a host that is unreachable - it didn't respond to any of our pings. Typically you'd want to avoid wasting time on scanning a dead host. You may choose to scan dead hosts but note that this may substantially increase scan time.


Close Vulnerabilities on Dead Hosts 

Enable this Option Profile setting to close vulnerabilities or related tickets for hosts that are not found alive after a predefined number of scans. When enabled, we'll mark existing tickets associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed. 

Here is an article about it – Best Practice Subscription Maintenance: Opt-In Vulnerability Management Asset Housekeeping Subscription Support Options.

 To enable/disable, navigate to Scans-> Option Profiles (New or Edit Option Profile)-> Scan tab-> Close Vulnerabilities on Dead Hosts

Notes:

- If you do not see this feature enabled for your subscription, contact your Account Manager or Support to get it.

- You must choose Full or Standard options for both TCP Ports and UDP Ports in the same option profile when using this feature. This is because we don't close vulnerabilities for None and Light Scan.

- If a previously identified dead host is found to be alive during a future scan, any vulnerabilities associated with that host which were previously closed due to the dead host processing will be marked as re-opened if they are reported as vulnerable by the scanners.

Close vulnerabilities on Dead Hosts is visible by default for all new VMDR subscriptions.


Purge old host data when OS is changed 

Enable this Option Profile setting to purge old host data when there is a significant change in the host OS vendor. This option is useful if you have systems that are regularly decommissioned or replaced.

Example: OS changes from Linux to Windows or Debian to Ubuntu. We will not purge the host for an OS version change like Linux 2.8.13 to Linux 2.9.4.

Navigate to Scans-> Option Profiles (Edit Option Profile)-> Scan, to enable/disable.

Find help for this setting here. If you face any discrepancy in host data after setting Purge old host data when OS is changed in Option Profile, read this article.

Note: 

- If you do not see this feature enabled for your subscription, contact your Account Manager or Support to get it.

- Recommend this setting to be enabled only for the default Option Profile, where the required authentication record settings are enabled.

Purge old host data when OS is changed is enabled by default for all new subscriptions.

- If you are an existing option profile user, this setting is enabled by default when you create a new option profile.

The Save As option is disabled when editing an existing Option Profile. The option is disabled to avoid duplication of existing option profiles.


Performance 

Important - Performance settings should only be customized under special circumstances by users with an in-depth knowledge of the target network and available bandwidth resources.

Configure performance settings to fine tune the intensity of your scans. We'll select the performance level "Normal" initially and this is recommended in most cases. Click Configure to change to another performance level. You can also define a custom level - select Custom for Overall Performance and configure the settings. Want to know more? See scan performance settings.


Load Balancer Detection 

When load balancer detection is enabled in the Scan section, we check each target host to determine if it's a load balancer. When a load balancer is detected, we determine the number of Web servers behind it and report QID #86189 "Presence of a Load-Balancing Device Detected" in your results.


Password Brute Forcing 

Use Password Brute Forcing to find out how vulnerable your hosts are to password-cracking techniques. Common targets of brute force attacks are hosts running FTP, SSH and Windows. Choose "System" and we'll attempt to guess the password for each detected login ID on each target host scanned. Select the level of brute forcing you prefer with options ranging from "Minimal" to "Exhaustive". Choose "Custom" to configure your own login/password combinations to look for. Learn more


Maximum Scan Duration per Asset

This option is only visible when the feature has been enabled for the subscription by a Manager under Scans > Setup > Max Scan Duration per Asset.

Once enabled for the subscription, you can enable this option in your option profile. Select the option "Set maximum scan duration of <number> minutes per asset" and enter the number of minutes (30 to 2880) for how long you will allow the scan to run on a single asset.  

If the scan on a single asset exceeds the maximum duration that you've specified, then the scan on the asset will be aborted and the scan job will continue to the next target. The Scan Status page will list the hosts that exceeded the duration specified in the option profile. Learn more

Note: Allow users to set maximum scan duration per asset is enabled by default for all new VMDR subscriptions.


Vulnerability Detection 

Complete

When you scan a host, the scanner first gathers information about the host and then scans for all vulnerabilities (QIDs) in the KnowledgeBase applicable to the host. This is a Complete vulnerability scan.

Custom

Select Custom under Vulnerability Detection if you prefer to limit the scan to a select list of QIDs. Then add search lists with the QIDs you're interested in. For example, you may only want to scan for vulnerabilities related to a specific product, operating system or category.

Select at runtime 

The "Select at runtime" option allows you to launch a one-time custom scan. At scan time, you'll be prompted to select vulnerabilities to include in the scan. The list of vulnerabilities is not saved in the profile and this option cannot be used for scheduled scans.

Basic host information checks 

Basic host information checks look for things like DNS hostname, NetBIOS hostname and operating system. Once we have this information for a host we show it in your scan reports, on the host assets list, in remediation tickets, and so on. These types of checks are always included in Complete scans. But if you're performing a Custom scan, you must select this option in the profile or we won't check for this basic host information.

OVAL checks 

To scan OVAL checks, use search lists in the Vulnerability Detection section, as described below. Note that you must also enable Windows authentication in the same option profile. Not sure how to get started? Learn more

To scan all OVAL vulnerabilities: add a search list that has QID 105186, and select the option "OVAL checks" in the Include section.

To scan only select OVAL vulnerabilities: add a search list that has the specific OVAL QIDs you want to test plus QID 105186.

About QID 105186: QID 105186 "Errors During Execution of User-Provided Detections" is a diagnostic QID that will provide important information about OVAL detections like errors reported and will help you if OVAL detection fails.

Can I use the Complete option? Yes, you can use "Complete" vulnerability detection along with "OVAL checks" to scan for all OVAL vulnerabilities but QID 105186 will not be included in the scan. This is why we suggest you use search lists.

Exclude QIDs  

Select the Excluded QIDs option and add one or more search lists with the QIDs you're not interested in. The scan engine will consider this list at scan time and exclude them if possible. It’s important to understand that the exclude QIDs option is not intended as a traffic blocking mechanism. This option is provided to help reduce scan time for scans in which the customer is only interested in certain QIDs.  

Why do I still see scan traffic for QIDs that were excluded?

There’s not always a one-to-one correspondence between a check (scan traffic you may see on the wire) and a QID. Many checks are directly associated with QIDs but not all of them. Checks for excluded QIDs may still run and cause related network traffic. The data required for a QID is collected from multiple places at scan time and we may not know at the start of the scan which checks are required for the QIDs included in the scan, so we may perform checks for QIDs that you excluded.

Intrusive Checks 

Intrusive checks are by default excluded from scans unless you take action to include them. You must explicitly include Intrusive checks, even if they are included in a custom Search List. Some remote vulnerabilities can only be effectively detected by attempting to compromise the vulnerability. Qualys attempts to ensure that any compromise attempted is benign, however this cannot be guaranteed.  

Intrusive checks may leave the remote system in an unstable state. Intrusive QIDs will only be included in a scan if you select the setting "Do not exclude Intrusive checks" in the scan option profile. Note that you will see a warning in the UI when this option is selected at the time you save the option profile. This will allow you to go back and change the setting if it was set unintentionally.


Authentication 

Using authentication enables our scanner to remotely log in to your system with credentials that you provide, and because we are logged in we can do more thorough testing.

You must set up authentication records for your technologies before you scan with authentication. Go to Scans > Authentication to create records.

In the option profile, choose the types of authentication you want to perform (Windows, Unix, Oracle, etc). Not sure how to get started? Learn more

Note: Windows and Unix authentication records are enabled by default when you create a new option profile. 

Attempt least privilege for Unix (skip root delegation in Unix record)

Enable Unix authentication and then select this option to use the least privileges required for Unix authentication. When selected, the scanner will not pass root delegation information specified in the Unix record to the scanner for vulnerability scans, and thus the scanner will not perform checks with elevated root privileges that are not required. Learn more


Test Authentication 

Check this option to run a quick, custom scan to test if authentication to target hosts is successful. This way you can identify issues with authentication credentials before running a full scan. The Appendix section of your Scan Results report lists hosts that passed/failed authentication. You'll also see the custom list of QIDs included in the scan.

When you choose Test Authentication, you’ll notice that these options are also enabled:

- all authentication types (you can clear any you’re not interested in but must keep at least one)

- Complete vulnerability detection (but we’re only scanning a custom list of QIDs)

- Standard Scan for TCP/UDP ports (you can switch to another option except None)

Do you have a Pay Per Scan account? A scan with Test Authentication enabled will not count against the number of available scans in your account.


Additional Certificate Detection 

When you enable the additional certificate detection option on the Scan tab, certificates are detected in more locations on your hosts. This option enables you to look for the certificates beyond the traditional ports only.


Dissolvable Agent 

Enable the Dissolvable Agent

The Dissolvable Agent (Agent) is required for certain scan features (like Windows Share Enumeration). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent".

Note: Enable the Dissolvable Agent option is enabled by default for all new VMDR users. You can disable it if needed.

How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Enable Windows Share Enumeration 

Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files in each share and whether the files are writable. This is good for identifying groups of files that may need tighter access control. This security test is performed using QID 90635.

Please be sure these configurations are enabled: 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined. Learn more


Lite OS Scan 

Select the Enable lite OS detection option in your option profile. When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected. Learn more


Add a Custom HTTP Header value 

You can add a specific HTTP header value to scans in order to drop defenses (such as logging, IPs, etc) when authorized scans are being run. This value will be used in the "Qualys-Scan:" header that will be set for many CGI and Web Application fingerprinting checks. Some discovery and Web Server fingerprinting checks will not use this header. Note the header is sent in plain text and should consequently not be the sole mechanism for bypassing security controls.


Host Alive Testing 

The Host Alive Testing scan option (in the option profile) allows you to launch a quick scan to determine which of your target hosts are alive without performing other scan tests.

Perform Host Alive Testing

  1. Select the Enable Host Alive Testing check box in your option profile, and launch a vulnerability scan with this option profile.

    Note: This option can only be selected in a profile with complete vulnerability detection. This is to ensure that the checks we need to perform are included.

  2. View your scan results.

    It is observed some Information Gathered QIDs reported for the target hosts found alive as per the sample report below. Hosts that are alive are listed under Successfully Scanned Hosts (IP)Hosts that are not alive during the scan are listed under Hosts Not Alive (IP).

    Note: When you run the host-alive scan for an IP range, QIDs and the scan time are not reported.


    Do not overwrite OS

    When this option is selected, we will not update the operating system for your target hosts. This is especially useful if you're running a light or custom scan and you don't want to overwrite the OS detected by the previous scan.


    Perform Partial SSL/TLS Auditing

    This scan setting allows you to partially scan SSL/TLS endpoints with an incomplete handshake. An incomplete handshake occurs when SSL/TLS endpoints require client certificates to complete SSL/TLS handshake.

    When you select the Enable partial SSL/TLS auditing checkbox, the scanner scans the SSL/TLS endpoints with an incomplete handshake. Only a subset of QIDs is checked in this mode. QIDs that are typically reported as confirmed vulnerabilities are reported as potential vulnerabilities.