Scanning - The Basics (for VM/VMDR Scans)

Good to Know

What to Scan

How to Scan

Which Scanner to Use


Recommendation for your first scan

We recommend you start small, maybe one or two IPs. Review the results, fix the vulnerabilities found, and re-scan the IPs to verify your fixes. Once you have this process down you'll feel more comfortable scanning larger sets of IPs.

What you can scan

The simple answer to what to scan is this: pretty much anything that’s connected to your organization’s network.  Here’s a list: all routers, switches, hubs, firewalls, servers (all common operating systems), workstations, databases, desktop computers, printers, and wireless access devices.

How often you should scan

Vulnerabilities must be identified and eliminated on a regular basis because new vulnerabilities are discovered every day. For example, Microsoft releases advisories and patches on the second Tuesday of each month – commonly called ‘Patch Tuesday’. We recommend you schedule your scans to run automatically (daily, weekly, monthly) and that way you'll always have the current vulnerability information for your hosts. You can even set up continuous scanning - after one scan finishes we'll start another one for you. Learn more

Tell me about vulnerability detections

We maintain the industry's most comprehensive Vulnerability KnowledgeBase across hundreds of applications and operating systems. We scan for vulnerabilities in a broad range of categories, including: back doors and trojan horses, brute force attacks, CGI, databases, DNS and Bind, e-commerce applications, file sharing, FTP, firewalls, General Remote Services, hardware and network appliances, mail services, SMB/Netbios Windows, TCP/IP, VMware, VoIP, web servers, wireless access points, X-windows and more. Go to the Search option in the KnowledgeBase to see a complete list of vulnerability categories.

Our engineers develop vulnerability signatures every day in response to emerging threats. As soon as these signatures pass rigorous testing in our Quality Assurance Lab they are automatically made available to you for your next scan. No user action is required. In addition, you can sign up to receive daily or weekly vulnerability signature update emails, detailing the new vulnerabilities we're capable of detecting.

Note: Windows QIDs (aka vulnerability detection signatures) can be detected on a Unix system with a Samba server. This is an expected behavior. 

Scan complete email notifications

You can choose to be notified via email each time a scan completes. The email gives you a summary of the results and a secure link to the saved report. Select User Profile below your user name, go to the Options section and select Scan Complete Notification. You'll notice additional email notifications you can opt in to.

How to identify hosts to scan

In order to fix vulnerabilities, you must first understand what assets (such as servers, desktops, and devices) you have in your network. Once you know what you have, you add them to your account by IP address (under Assets > Host Assets) and then you can scan them for vulnerabilities. You can add the IPs (or IP ranges) for your organization's domains and sub-networks or add the IPs for specific devices you want to scan.

Not sure what you have? Run a discovery scan (map) to find the live devices on your network, then follow workflows in the map results to add discovered assets to your account for scanning. Learn more

What are asset groups?

Asset groups are user-defined groupings of host assets (IP addresses). You can group hosts by importance, priority, location, ownership, or any other method that makes sense for your organization. When you scan an asset group, only the hosts in the group are scanned. This allows you to limit the scope of your scans to a particular group of hosts or a subsection of your network, making the scan results and remediation tasks more manageable. Learn more

What are asset tags?

Asset tagging is another method for organizing and tracking the assets in your account. You can assign tags to your host assets. Then when launching scans you can select tags associated with the hosts you want to scan. This dynamic approach is a great way to ensure you include all hosts that match certain criteria, even if your network is constantly changing as hosts are added and removed. For example, scan all Windows XP hosts or all hosts with Port 80 open. There are multiple ways to create tags, for example you can create tags from asset search (go to Assets > Asset Search) or by using the AssetView application. Learn more

Can I scan an asset group with a mix of external and internal IP addresses? 

No, you'll need to scan external and internal targets separately. Create separate asset groups/tags for external IP addresses and internal IP addresses. For external only scanning, choose the asset groups/tags with your external IPs and select the External scanner appliance option to use our cloud scanners. For internal only scanning, choose the asset groups/tags with your internal IPs and choose one or more scanner appliances (physical or virtual) in your account. When scanning asset tags, choose the "All Scanners in TagSet" option to use scanner appliances with the same tags. 

Where do I see the IPs in my account?

Go to VM/VMDR > Assets > Host Assets to see the IPs you can scan for vulnerabilities. If the IPs you want to scan are not listed then add them (or have your manager add them and assign them to you).

Note: If Asset Group Management Service (AGMS) is enabled for your subscription, you will see the Address Management tab instead of Host Assets. To understand the changes that happen when AGMS is enabled for your subscription, refer to Introducing AGMS.

Can I exclude hosts from the scan?

Yes. Enter the IP addresses you want to exclude into the Exclude IPs/Ranges field. Optionally, go to Scans > Setup > Excluded Hosts to create a list of IPs that you want to exclude from all scans launched by all users.

Scanning IPv6 addresses

We support scanning IPv6 addresses. You'll need to have IPv6 Scanning enabled - please contact Support or your Technical Account Manager. There's a couple configuration steps you'll need to complete to get started. Learn more

Scanning by Hostname

Users have the option to scan hosts by their DNS or NetBIOS hostnames, when the Scan by Hostname feature is enabled. Contact Support or your Sales Manager if you would like to get these features. See also Scanning by Hostname | Scanning and Reporting by DNS name

Will the scan impact my hosts?

Our security service ensures the impact on your target hosts and network traffic is minimal. How do we do this?

- If we detect performance deteriorates on a target host or network during a scan, we'll adapt dynamically and reduce the scan speed.

- We run vulnerability checks appropriate to the machine being scanned (for example no test specific to Windows operating systems will be run against a Linux machine).

- Our service allows for variable bandwidth load (low, normal, high or custom) for the machines being scanned. We monitor the response (through RTT, response-time tests) and adjust the load according to your setting. You can configure this scan performance setting within your option profile.

How does the scan handle network and broadcast addresses?

Broadcast addresses for directly connected networks are blocked from being scanned explicitly. Other broadcast addresses (for networks behind a router) are excluded dynamically from scanning, during host discovery, based on the responses we get.

During host discovery, the network address would be marked as a dead host. When the broadcast address receives packets, several other IPs would respond but not the broadcast IP itself. Thus, the scanner will not process any further action on these IP addresses.

How can I customize my scan?

You customize your scan by changing the scan settings in the option profile. You can fine tune settings like which ports to scan and limit scanning to certain vulnerability checks (QIDs) only. Think about creating a few option profiles for the different types of scans you want to perform. The following settings can be tweaked to meet your specific needs: TCP ports scanned, UDP ports scanned, vulnerability checks (QIDs) to scan, load balancer detection, performance settings, authentication types and more.

Which option profile should I use?

The option profile you choose determines the depth of the scan. If you're not sure which options to use, start with the default profile. We provide "Initial Options" to get you started. This profile has the most common settings and should meet most of your needs. We'll run all vulnerability checks that apply to each system, and we'll scan a list of standard ports. You can see this list in the option profile.

By creating your own profile, you can fine tune settings like ports to scan and limit scanning to certain vulnerability checks. Think about creating a few option profiles for the different types of scans you want to perform.

Do you want to use authentication?Do you want to use authentication?

To use authentication, make sure you choose an option profile that has authentication enabled and make sure the IPs you want to scan are included in authentication records. At scan time, we'll use the information provided in your records to log into the target hosts. Go to Scans > Authentication to learn how to manage your records.

Are you trying to meet PCI compliance?Are you trying to meet PCI compliance?

For an external PCI scan, use the profile called "Payment Card Industry (PCI) Options" that we've provided. This profile has specific configuration settings that are required for compliance. For internal PCI scans use the "Initial Options" or a profile that you've created.

Why should I use host authentication?

Authenticated scanning is an important feature because many vulnerabilities require authenticated scanning for detection. To perform authenticated scanning, you must 1) set up authentication records with login credentials for your target IPs (go to Scans > Authentication), and 2) enable authentication in the scan option profile you want to use. Learn more

Tell me about the PCI option profile

We provide the profile "Payment Card Industry (PCI) Options" with scan settings for external PCI scans. This profile must be used to meet the quarterly external scan requirement according to the PCI Data Security Standard (DSS). Learn more

Are you scanning internally or externally?

In other words, are you scanning IPs on your network perimeter (external) or inside your corporate network (internal)?

External scanning is always available using our cloud scanners set up around the globe at our Security Operations Centers (SOCs). For this option, choose External from the Scanner Appliance menu.

Internal scanning uses scanner appliances placed inside your network. Choose the "Build my list" option to select one or more scanner appliances for your scan task. Don't have one? Quickly install a virtual scanner (go to Scans > Appliances).

Options when scanning asset groups

If you're doing internal scanning on asset groups, you can choose a scanner appliance by name or select one of these options:

Default. Select this option to use the default scanner in each asset group. Edit an asset group to assign the default scanner for the group.

All Scanners in Asset Group. Select this option to distribute the scan to a pool of scanner appliances in each asset group, as defined in the asset group. Tip: Before you scan we recommend you view your target asset groups to identify the pool of scanners to be used, and make any necessary changes. Learn more

Do I need to add Qualys scanners to my allow list?

Yes, scanners must be able to reach the target hosts being scanned. Go to Help > About to see the IP addresses for external scanners that you'll need to add to your allow list. You'll also see a list of URLs that your scanner appliances must be able to contact for internal scanning.

Scanning through a firewall - avoid scanning from the inside out

Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. Learn more

I don't see the scanner appliance option

You will only see the Scanner Appliance option if you have scanner appliances in your account. If this option does not appear, then your scans will use external scanners automatically.

How do I get a scanner appliance?

Contact Support or your Technical Account Manager to: 1) have a physical scanner appliance shipped to you, or 2) have the Virtual Scanner option enabled for your subscription in order to download a virtual scanner image and configure your scanner in a few easy steps.

Auto cancellation of scan

A scan is automatically canceled after 4 hours if it remains in queued status due to platform issues.

Why same QID is detected multiple times in a day in the Qualys Cloud Agent scan?

Qualys Cloud Agent scan executes every four hours; hence, it is possible that the same QID is detected multiple times in a day. For example, If the first vulnerability detection time is 2:00 AM IST and the last vulnerability detection time is 6:00 PM IST, then the agent scan is executed approximately six times in a day. Hence, it is possible that the same QID is detected five times.

What causes the overwriting of IPs and inconsistent font size within the Appendix section of the scan results in PDF format?

When any sub-section in the Appendix of the scan results exceeds 32,000 characters, it can cause font and display issues within a few lines due to inherent restrictions of the PDF format.

I see same QID reported multiple times for the same host

A single QID may appear multiple times for the same host, yet each instance of these QIDs is technically distinct according to the following criteria:

Duplicate entries for the same QID and port on the same host

When a host with multiple NICs, each having a different IP address and DNS hostname, is scanned, the scan reports different FQDNs for each NIC's IP address, but the DNS hostname remains the same across all reports.

As per the current design, if the FQDN reported is matched with the DNS hostname in the scan result, an entry would be created/updated against the null FQDN. 

Example:
For example, there are three IP addresses, each with a different DNS, belonging to the same host, identified by the Qualys unique host UUID (qg_hostid) 65aa2953-03e000043044-005056af40e5. For more information about the qg_hostid or other IDs, please refer to  https://qualys.my.site.com/discussions/s/article/000006216

In cases where multiple NIC IPs of the same host are reporting different Fully Qualified Domain Names (FQDNs), it is expected to create multiple entries that correspond to each reported FQDN for each IP address. Each IP or FQDN belongs to the same host, as determined by the qg_hostid.

IP

DNS

Port

QID

SSL

 100.10.11.111

accvublszef666s.test.test.com

8080

45232

1

100.10.11.112

accvdblsclt04.test.test.com

8080

45232

1

100.11.11.113

accveblrclt06.test.test.com

8080

45232

1

I see the discrepancy in the count of the scan list

When the user with Unit Manager role views the scan list on the VM UI (Scans > Scans), the displayed count differs from what is returned when API is executed for the scan list. This discrepancy occurs due to the Show in Scope Scan List option disabled in the VM UI and the in-scope scan list enabled by default in the API.