Tell me about Vulnerability Scan Results
Every completed scan has a scan results report with the raw, unfiltered results.
|
Why don't I see some Information Gathered (IG) type QIDs in scan results? |
Check out this video:
How do I see my scan results?
Go to VM/VMDR > Scans, identify the scan you're interested in and select View from the Quick Actions menu.
How do I download the scan results?
By selecting Download from the Quick Actions menu you can save a copy locally in one of many formats.
Scan results in XML: Qualys API (VM, PC) User Guide 
Can I look at partial results as my scan is running?
Yes. Choose View from the Quick Actions menu for your running scan. The scan status appears and partial results are available in an HTML report for the IPs that have been scanned. You can look at the results but you can't run reports on the data until the scan is finished and the results have been processed.
Tell me about Average Security Risk
You'll see the average security risk score for all active hosts in the scan results report in the Summary of Vulnerabilities section. The average security risk is calculated as the sum of the security risk scores for all active hosts divided by the number of active hosts. (This calculation method applies to the averages security risk in scan results.)
What is the security risk for each active host?
What's in the Detailed Results section of the report?
You'll see each scanned host identified by IP address with additional information (if collected during the scan):
IP address (DNS hostname, NetBIOS hostname) Operating System
For each host, you'll see the detected vulnerabilities by severity level - confirmed vulnerabilities, potential vulnerabilities and information gathered. Disabled vulnerabilities will appear grayed out.
Why wasn't my host scanned?
You'll see a list of hosts that were scanned and not scanned in the Appendix section of your scan results. A host may not be scanned for a variety of reasons.
Show me reasons a host may not be scanned
Authentication to my host failed. What should I do?
Hosts that fail authentication appear in the Appendix section of your results. We recommend you run the Authentication Report to get information to help you with troubleshooting the issue before you launch new scans. Go to Reports > Reports and choose New > Authentication Report.
Why don't I see data in the graphs?
The Operating Systems Detected graph will be empty if your scan did not include "Operating System Detected" vulnerability (QID 45017). The Services Detected graph will be empty if your scan did not include "Open TCP Services List" (QID 82023) and "Open UDP Services List" (QID 82004). Check the option profile you selected for the scan to be sure these QIDs are selected.
My report is large. How do I see all the sections?
Large reports are divided into segments of IPs to make the results more manageable. Use the View menu to see the available segments, and then select a segment and click Go to see the results for that segment.
Tip: Create a scan report with fewer hosts using a report template that filters the output by asset groups or tags. This will make your scan results more manageable for reviewing and sharing with others. You can do this by going to VM/VMDR > Reports > Templates. There are several templates you can choose from (we recommend the Technical Report or the High Severity Report to begin) and you can change the template to select asset group or tags.
How do I know if authentication was successful?
For authenticated scans it's important to verify that authentication was successful. It is recommended that you resolve authentication failures before the next scan. Learn more
Tell me about host scan data and scan reports
We store saved scan results separate from host scan data (also called Automatic data). Host scan data is the normalized data collected from your scan results and this is updated as new scans are completed and scan results are processed. Host scan data provides the most up-to-date information and current security status for each host. This appears throughout the user interface and in Automatic vulnerability scan reports. Learn more
Think you might have a false positive?
Review the Results section of the QID for the host. This will show you the specific reasoning why the vulnerability was reported for that host. Learn more
Why don't I see some Information Gathered (IG) type QIDs in scan results?
For potential and confirmed vulnerabilities, the vulnerability status (New, Active, or Fixed) is updated and recorded with every scan. For more information, see Vulnerability Status Levels.
However, for Information Gathered (IG) type vulnerabilities, this status is not retained. Consequently, when an IG-type vulnerability is fixed (that is, when it is not detected in the ongoing scan), it is removed from the scan results without displaying the Fixed status.
Notes:
-
An authenticated scan using a scanner appliance processes all QIDs with both remote and authenticated discovery types.
-
The authenticated scan using a scanner appliance does not delete the IG-type QIDs:
-
When it is a custom scan and the IG-type QIDs are not part of the custom QID list.
-
When the Host-Alive Testing option is enabled in the option profile.
-
When the IG-type QIDs are part of the Excluded QIDs list.
-
If asset merging is enabled with option (agentless +correlation id)
- When a remote authenticated/unauthenticated scan (ML/scanner specific) runs on a system, it deletes the IG-type QIDs that are not reported in the current remote authenticated/unauthenticated scan.
- When an agent scan runs over the system, it deletes the IG-type QIDs that are not reported in the current agent scan by CAS.
If asset merging is not enabled
- When an agent scan runs over the system, it deletes the IG-type QID that was detected in the earlier agent scan but not reported in the current scan. It will delete only the agent supported QIDs.
- When a remote authenticated scan (ML/scanner specific) runs on a system, it deletes all the IG-type QIDs that were detected in the earlier agent scan but not present in the current scan.