Release 10.30

October 13, 2024

What’s New?

Qualys Vulnerability Management (VM)

Default Setting Enablement for a New VMDR Subscription

When a VMDR subscription is enabled, you may have opted for only a certain number of features. It may be the case that you are not aware of all the features VMDR offers. Once you become familiar with all available features, you would typically need to contact your Technical Account Manager (TAM) or Qualys support to enable additional ones. This process has a dependency on multiple stake-holders.

With this release, that dependency has been removed. All the features (given below) are now enabled by default for VMDR subscriptions.

The default setting enablement is only available for new VMDR subscriptions.

Following are the details of default settings that will be enabled for new VMDR subscriptions:

Default Setting Changes

Unique Asset Identifiers

  • Agentless Identifier: Accept Agentless Tracking Identifier
  • Agent Correlation Identifier: Accept Agent Correlation Identifier

Asset Merging:

  • Cloud Agent Configure Agent Scan Merge to be enabled by default: "Merge data for a single unified view"

Scans Setup Page

  • Accept Dissolvable Agent
  • DNS Tracking
  • Maximum Scan Duration per Asset
  • Debug Scans

Report:

  • CVSS Scoring
  • OS CPE: Enable OS CPE Support

Address Management: For new VMDR subscriptions, when adding new IP addresses to the licensee container, Vulnerability Management (VM), Security Configuration Assessment (SCA), and Certview applications are enabled by default (Assets > Address Management > New > IP Tracked Addresses > Subscription IPs).

The following default settings are enabled for better product experience:

  • Enable PCAP Scan - With a PCAP Scan you will get vulnerability scan results plus a PCAP (Packet Capture) file that contains all TCP network traffic captured between the scanner and the target host. (VMDR > Scans > Scans > New > PCAP Scan)

  • Enable Close Vulnerabilities on Dead Host - Option profile settings to close vulnerabilities when host is not found alive after set number of times. (VMDR > Scans > Option Profiles > New > Option Profile > Scan tab > Close Vulnerabilities on Dead Hosts)
  • Enable Purge old host data when OS is changed - Settings to purge host data when we detect major change in host OS vendor. (VMDR > Scans > Option Profiles > New > Option Profile > Scan tab > Purge old host data when OS is changed)
  • Enable exposing Threat Protection RTI 
  • Enable Customer QRDI Checks - Allow users to create their own vulnerabilities for QRDI checks. (VMDR > KnowledgeBase KnowledgeBase > New > QRDI)
  • Allow Scanner to Scan Multiple Slices in a Single Scan 
  • Enable Tag support in Authentication Records - Allows creation of authentication records using IP range in Tag Rule. 
  • Enable Cloud Perimeter Scan, Azure scan, and GCP Compute Engine scan- Allow users to create cloud perimeter scan jobs on public facing instances in their cloud environment, Azure, and GCP Compute Engine environment. (VMDR > Scans > Scans > New > Cloud Perimeter Scan/Azure/GCP Compute Engine)
  • Enable Internal scanners for Cloud Perimeter Scans - Allow users to use internal scanner in addition to external scanner for cloud perimeter scan. (VMDR > Scans > Scans > New > Cloud Perimeter Scan)
  • Enable Qualys Containerized Scanner Appliance (QCSA) for a subscription (VMDR > Scans > Appliances > New > Containerized Scanner Appliance)
  • Enable Advanced Scan Tuning Options (to be available in the option profile)
  • Enable Tag support in Authentication Records
  • Asset Tag Scoping - Asset Tagging provides a flexible and scalable way to automatically discover and organize the assets in your environment
  • Password Never Expires for API Access (VMDR > Users > Setup > Password Never Expires)

Qualys Recommended Option Profile

With this release, we have introduced the Qualys Recommended Option Profile for all new VM/VMDR subscriptions. This enhancement enables the default settings from the Qualys Recommended Option Profile to be automatically applied when creating a new Option Profile. These applied settings are designed to improve scanning efficiency and ensure adherence to best practices.

This feature will be available for use from mid-November. For more details, refer to blog - Qualys Recommended Option Profile – Upcoming Important Changes.

The default settings are summarized as follows:

  • The number of standard TCP Ports is increased from 1,900 to 2,800. Also, the number of additional TCP ports is increased from 12,500 to 20,500.

    Standard and Advanced TCP ports.

The following image illustrates the list of all 2,800 Standard TCP Ports

Total 2800 Standard TCP ports.

  • The Enable Parallel Scaling for Scanner Appliances setting is now enabled by default in Option Profiles, which enhances scan performance and reduces scan completion time.

    Enable parallel scanning for scanner appliance checkbox selected.
  • The profile purges old host data when the operating system is changed, enhances scan performance and improves record authentication. The purge action is initiated only when the operating system is accurately detected during the authenticated scans or by the Cloud Agent.

    Purge old host data when OS is changed checkbox selected.
  • Windows and Unix are now enabled by default when creating an Option Profile to help reduce issues encountered when profiles are not properly configured. 

    Windows and Uniz checkbox selected under Authentication.
  • The Dissolvable Agent option is enabled for all VMDR users by default. For existing VMDR users, the option Dissolvable Agent can be enabled from Scan > Setup.

    Dissolvable Agent checkbox selected.
  • The Save As option is disabled when editing an existing Option Profile. The option is disabled to avoid duplication of existing option profiles.

    Save As option disabled.
Qualys API Support

For this enhancement, we have updated the API /api/2.0/fo/subscription/option_profile/vm/.  For more information, refer to Cloud platform 10.30 API Release Notes.

View Patch Published Date for a QID

When a vulnerability is identified, it is crucial to address it with a solution. Each day that a vulnerability remains active, it poses a potential risk. To resolve this, companies release patches designed to fix the issue. The Patch Published Date field shows the date when a company released a patch for users to address the vulnerability. Previously, the patch published date information was not easily accessible. You were required to enter asset information details to view the patch published date for a particular QID.

With this release, we have added the Patch Published Date to the Vulnerability Information window for a QID. This enables you to identify the date on which the patches were first released for the QID.

Patch Published Date for a QID

Qualys API Support

For this enhancement, we have implemented the versioning for the API /api/3.0/fo/knowledge_base/vuln/.  For more information, refer to Cloud platform 10.30 API Release Notes.

User Interface Enhancements

With this release, we have implemented the following User Interface (UI) enhancements:

Enhancement in Change Password Page

We have enhanced the Change Password page for a better user experience. It now displays all the mandatory fields, including the captcha, at a glance to help you complete every step. Even when the error message is displayed on the Change Password page, the field alignment remains unchanged.

Change Password page with all fields.

Change Password Enabled for all New Subscriptions

When you login to the Vulnerability Management (VM) or Policy Compliance (PC) application for the first time with the default password, you are now prompted to change to a password of your choice. We have made the change password step mandatory for all users, irrespective of the subscription. Users who log into their accounts for the first time must now verify their information, accept the service agreement, and then change their default login passwords. Previously, there was a dependency in the VM and PC application to change the system default password. This dependency is now removed.

Change password page displayed when logging in for the first time for all users.

Enhancement for Password Field Visibility

When entering a password, there are chances that the password may have been entered incorrectly. Therefore, it is important to have an option that enables you to view the password you have entered. We have thus introduced an eye icon to the password field across various screens.

This feature improves usability in the following ways:

  • Accuracy and Transparency: With the icon, you have visibility to the password that you are entering, and this prevents login errors due to mistypes.
  • User Empowerment: By allowing you to see your password, you gain better control over the interactions with the product.

The Password visibility icon. icon is now available on the following screens:

  • Qualys login page
  • Change Password (for both current and new passwords)
  • Forget Password > Change Password dialog box in Forgot Password Workflow

The icon is available when on selecting the password field. 

Login page:

Login screen

Login screens for all users

Change Password:

Change password page for users

Forgot Password:

forgot password.

Qualys Policy Compliance (PC)

Enhanced Data Limit for Actual Result and Extended Evidence in Policy Report

The limit for displaying Extended Evidence and Actual results in the Policy report for Active Directory (AD) System Defined Controls (SDC) has been increased to 100000 rows. Previously, the limit was 5000 rows, which resulted in incomplete data being displayed in the Extended Evidence and Actual result sections. The enhanced data limit of 100000 rows now allows the full extended evidence and actual data to be displayed in the Policy report. To learn more about extended evidence and actual result, refer to Policy Compliance Reporting- The Basics.

This enhanced data limit only applies to AD SDCs. For other SDCs, the limit is 5000 rows. 

Contact Qualys support to enable this feature for your subscription.

CSV Report Format Enhancement for Policy Report

We have improved the CSV report format to include a new section Possible reason for empty report under RESULTS. This section displays the reason for an empty report, along with the corresponding reason code. Knowing the reason helps you to identify and address any issues from your end. Depending on the type of problem causing no data in the report, this section will display different reasons and their corresponding reason codes:

Reason Code Reason
R001 No HostIDs resolved.
R002 No HostIDs matching with policy technology.
R003 No posture data available.
R004 Template setting may not be configured properly. Please verify the template setting.

The following image illustrates the empty report displaying the reason and reason code:

Empty CSV report.

Control Chaining and CIS Data-Driven Reports for CIS Policies

With this release, to evaluate your CIS policies precisely against the CIS benchmarks, the controls are now chained logically in the context of CIS references. 
You can now generate a dedicated policy compliance report that organizes compliance data according to the CIS references. This report offers insight into control chaining conditions for CIS references and presents the compliance data in diverse ways, providing you with a comprehensive view of your CIS compliance. 
This enhancement offers you a structured framework for assessing your adherence to the CIS benchmarks. Also, it ensures that all relevant controls are considered and assessed logically.

Important to know!
  • This enhancement is exclusive to PC subscriptions and not available for SCA subscriptions.
  • Only CSV report format is supported.
  • The following controls are skipped from the Policy report:
    • Controls that are chained logically in the context of CIS references but are not part of the policy that is being evaluated
    • Inactive controls
Benefits

Here are some benefits offered by this enhancement:

  • Systematic Approach: Control chaining allows you to evaluate compliance with CIS benchmarks and controls in a structured and systematic manner.
  • Consistency and Standardization: Chaining policy compliance controls based on CIS references ensures consistency in evaluating compliance across the organization.
  • Dependency Handling: Control chaining considers dependencies or relationships between controls. This ensures a more accurate assessment of compliance
  • Simplified Compliance Reporting: A dedicated report template for CIS compliance makes it easier to review the adherence to CIS benchmarks and controls.
  • Improved Remediation: The dedicated CIS compliance report facilitates remediation efforts by identifying areas of non-compliance more precisely.
  • Enhanced Security Posture: As the security controls are now evaluated in a systematic manner, it reduces the probability of overlooking critical aspects of compliance. This, in turn, helps you improve the overall security posture.
Prerequisites
  • To enable this feature for your subscription, contact your Technical Account Manager or Quays Support.
  • The Qualys Cloud Platform version 10.30.0.0 or later.
  • PCRS enabled subscription along with the PCRS version PCRS-1.16.0 or later.
  • Import a CIS benchmark policy for which control chaining is implemented and run a compliance scan using it. To know the policies for which control chaining is implemented, refer to Online Help.

Support for DataStax Database Authentication

With this release, we have added support for DataStax (5.x/6.x) authentication for compliance scans using Policy Complaince (PC) and Security Configuration Assessment (SCA) applications for Unix and Windows platforms. You can create a DataStax authentication record with your credentials to authenticate to a DataStax database instance running on a host and perform a compliance scan.

Select DataStax from Authentication Database.

Qualys API Support

For this enhancement, we added a new api /api/2.0/fo/auth/datastax/.  For more information, refer to Cloud platform 10.30 API Release Notes.

Adding SSL Verification to Sybase Authentication Record

When scanning a Sybase database, the authentication method was limited to certificate based authentication. We have now added support for SSL verification to the Sybase Authentication Record. This allows you to scan and authenticate the Sybase databases using SSL verification in the Policy Compliance application.

SSL verify and hosts displayed on the Sybase Authentication window.

Qualys API Support

For this enhancement, we have implemented the versioning for the API /api/3.0/fo/auth/sybase/.  For more information, refer to Cloud platform 10.30 API Release Notes.

Activate or Deactivate Policies using an SCA account

With this release, we have provided permissions to all Security Configuration Assessment (SCA) accounts to activate or deactivate policies. This can be done to either an individual policy or multiple policies. You can also filter out policies that are active or inactive from the list of policies displayed in the Policies tab.

Activate a single Policy

Deactivate a single Policy

Activate or deactivate multiple Policies

You can view which policies are active or deactivated, using the eye icon. Here, Active policy icon. indicates the policy is active, whereas Deactivated policy icon. indicates the policy is deactivated.

Icons displayed against each policy indicating if they are active or inactive

Support to Sort the Compliance Criticality in the Scorecard Report Template

With this release, we have added two new options under Overall Compliance by Criticality in the Compliance Scorecard Report Template. You can now sort the compliance criticality in the Compliance Scorecard Report Template in ascending or descending order. Earlier, criticality was sorted by percentage, which made it challenging to determine the criticality of the compliance accurately.

Select the option to sort the criticality.

With this, when you select sorting in the following:

  • Ascending order, the report displays Medium criticality at the first position, followed by Serious, Critical, and Urgent levels.
  • Descending order, the report displays the Urgent criticality at the first position, followed by CriticalSerious, and Medium levels.

This helps to identify the criticality of the compliance and take further action. When you have not selected any options, the report displays the criticality based on the percentage.

 This is applicable to all the scorecard report formats like PDF, HTML, and XML.

Improve Deletion of Stale PC Technology/Instances

With this release, the following issues related to stale PC Technology/Instances deletion have been resolved:

  • Previously, the deletion of posture data for instance-based technologies such as Tomcat, Apache HTTP, and many more led to a scenario where reports were missing data when OS authentication failed. With this release, the posture data for such instance-based technologies is skipped if the OS authentication fails.
  • Previously, processing a full scan resulted in the deletion of posture data of instances that were reported via agent middleware scan. This was possible when the host merge feature was enabled for unified view/smart merging. Such deletions are now restricted. However, the instances that are reported by the same scan source are considered for deletion. The posture data can still be deleted if the technology/instance is found to be stale. This is possible by enabling the setting from Policy Compliance > Scan > Setup > Inactive Purge Instance. Once a value is specified in this field, it removes data for instances that haven't been updated in a certain number of days.
  • Previously, when processing results of Scan-By-Policy (SBP), at least one instance was required to be present in the scan results for deleting stale technologies/instances. Deletion is now supported even if no instance is reported in the latest scan.
  • We have expanded posture data deletion for all technologies covered via agent middleware scan.

Support for New Authentication Technologies

With this release, the following technologies are now supported for Policy Compliance authenticated scans:

Oracle 23ai (Multitenant)

With this release, the Oracle 23ai (Multitenant) technology is supported for Policy Compliance authenticated scans using scanners and Cloud Agent. The technology is now available for use at the following places for both scanner and agent:

Policy Editor

When you create or edit a compliance policy, Oracle 23ai (Multitenant) is now available in the list of supported technologies.

Oracle 23ai Multitenant option when creating a new policy

Search Controls

When you search controls, you see Oracle 23ai (Multitenant) in the list of technologies. Go to Policies > Controls > Search and select Oracle 23ai (Multitenant) in the list.

Oracle 23ai Multitenant option when searching under Controls

Authentication Report

To display all OS authentication-based instance technologies per host, including Oracle 23ai (Multitenant), in your authentication report, go to Reports > New > Authentication Report and under Appendix, enable OS Authentication-based Technology option.  

OS Authentication based Technology checkbox selected

Oracle 23ai (Multitenant) is now listed under application technologies in the Result section of a compliance scan report.

Oracle 23ai Multitenant option in scan results

Scroll down to the Appendix section of your authentication report to view the Oracle 23ai (Multitenant) mentioned under Targets with OS authentication-based technologies.

Authentication report displaying the authentication technology as Oracle Enterprise Linux.

Scan Results

Sample Report

The sample report displays the tracking method and the instances for both scanner and agent. You can view the instances of Oracle 23ai (Multitenant) for scanned hosts in compliance reports.

  • Scanner
    The sample report displays the tracking method for the scanner as IP with an instance of oracle23cdb.

    Scanner image for Oracle 23ai Multitenant
  • Agent

    The sample report displays the tracking method for the scanner as AGENT with an instance of oracle23cdb.


    Agent tracking report.

    When you use a cloud agent for Policy Compliance, the cloud agent auto-discovers Oracle 23ai (Multitenant). When an agent scan detects Oracle 23ai (Multitenant) on a host, it is displayed at PC > Assets > Middleware Asset.

    Oracle 23ai Multitenant option in Middleware Assets

For more information, see Authentication Technologies Matrix.

Windows 2022 Active Directory

Windows 2022 Active Directory optimizes traffic and enhances overall performance in an environment with numerous groups. You need a Windows record to authenticate Windows 2022 Active Directory and scan it for compliance. You can scan, create policies with desired controls, and run reports like authentication, policy, interactive, and so on using Windows 2022 Active Directory. It supports both scanner and agent.

Windows 2022 Active Directory is now available for use at the following places for both scanner and agent:

Policy Editor

When you create or edit a compliance policy, Windows 2022 Active Directory is now available in the list of supported technologies. 

Select Windows 2022 Active Directory.

Search Controls

When you search controls, you see Windows 2022 Active Directory in the list of technologies. Go to Policies > Controls > Search and select Windows 2022 Active Directory in the list.

Windows 2022 Avtive Directory checkbox selected in the Search window.

Authentication Report

To display all OS authentication-based instance technologies per host, including Windows 2022 Active Directory, in your authentication report, go to Reports > New > Authentication Report and enable OS Authentication-based Technology option under the Appendix.  

Select OS authentication technology under Appendix.

Scroll down to the Appendix section of your authentication report to view the Windows 2022 Active Directory mentioned under Targets with OS authentication-based technologies.

Appendix section shows Windows 2022 Active Directory.

Scan Results

Windows 2022 Active Directory is now listed under Application technologies found based on OS-level authentication in the Result section of a compliance scan result.

Showing Windows 2022 active Directory in the result section.

When you use a cloud agent for Policy Compliance, the cloud agent auto-discovers Windows 2022 Active Directory. When an agent scan detects Windows 2022 Active Directory on a host, it displays on PC > AssetsMiddleware Asset.

Sample Report

The sample report displays the tracking method and the instances for both scanner and agent. You can view the instances of Windows 2022 Active Directory for scanned hosts in Compliance Reports.

  • Scanner
    The sample report displays the tracking method for the scanner as IP with an instance of ad2022.

    Sample report displayed from Agent.
  • Agent
    The sample report displays the tracking method for the scanner as AGENT with an instance of ad2022.

    Sample report displayed from Agent.

For more information, see Authentication Technologies Matrix.

Support UDC for Agent on MacOS X

With this release, we are supporting the UDC type for the Script Result Check option for MacOS X under Unix Script UDC. Earlier, support was only for the Windows platform type for Windows script UDC and the Linux platform for Unix script UDC. This helps you validate the script against MacOS X technologies.

Script result check available in Unix control type policies.

Issues Addressed

The following reported and notable customer issues have been fixed in this release:

Component/Category Application
 		 Description
VM - Report Schedule Vulnerability Management When user attempted to schedule report on report generated from API, an error message stating, "An error has occurred and the Qualys Server cannot process your request," was displayed.  This happened because report schedules were not being set up fpr reports created using the API. The relevant code changes have been made to address this issue. You can now schedule API reports and any other on demand reports successfully.
VM - Reports General Vulnerability Management When users generated an authentication report, the operating system did not appear in the Operating System section of the report. This issue occurred because the OS value was retrieved from the wrong column in the table. Relevant code changes were made to fix this issue.
VM - Feature Request Vulnerability Management Data related to Host Application was gettting processed in QWEB as well as Portal. Considerable time was getting spent on processing the data in QWEB. Relevant tweaks were added at the platform level to resolve this issue. Now when you enable the tweak, the host application data will not be processed, and data will not be inserted/updated in the host application table at QWEB.
VM - User Management Vulnerability Management When the user, without GUI access, tried to access the Qualys user interface, an expected login failure occurred. However, in the login failure logs, that highlighted the login attempt, displayed the role of the user incorrectly. Relevant code changes have been made to resolve this issue. The failure logs now display the correct user role.
VM Vulnerability Management When the users referred to the Qualys Vulnerability Management - Scanning for 
Default Credentials & Commonly Used Passwords document, they observed certain QID credentials missing. Relevant changes have been made to resolve this issue. The document Vulnerability Management - Scanning for 
Default Credentials & Commonly Used Passwords is now updated with the list of QID credentials. For more information refer to the Vulnerability Management - Scanning for 
Default Credentials & Commonly Used Passwords document.
VM - Knowledge Base Vulnerability Management When the users were trying to create a Dynamic search list, they entered "CVE-" in CVE Id field with "Contains", an error was displayed. This is because when performing a validation for CVE ID field, the provided value must be either a valid CVE ID pattern or must contain the value as entered in the field. Relevant code changes have been made to resolve this issue. The CVE ID filter value is now selected before applying the regex validation on CVE ID field.
VM - Remediation
 		 Vulnerability Management When the users were using an asset group configured with DNS in a remediation policy, the policy evaluation process failed. Therefore, the remediation tickets were not being created. This was an expected behavior. The backend service (AGMS) resolves only IPs from the asset groups, not DNS. Due to this, policy evaluation fails for such assets, and remediation tickets do not get created. This is now updated in the Online Help in Remediation - The Basics.
VM - Reports Vulnerability Management When the users created a scan report template through API by passing 0 values for exploitability and malware in the request or through UI by unchecking the options of exploitability and malware, users were still able to view the exploitability and malware columns in the report XML format. The relevant code changes have been made to resolve this issue.
VM - Assets Vulnerability Management When users tried to view the Existing Excluded Host (Scans > Setup > Excluded Hosts > Existing Excluded Hosts) in the Excluded Hosts Setup, it was taking a considerable amount of time to open. The relevant code changes have been made to resolve this issue.
PC Policy Compliance We now support Windows 2022 Active Directory Instance for Policy Compliance authenticated scans. Windows 2022 Active Directory enhances performance and optimizes traffic in large environments. It supports both scanners and agents, allowing for compliance scanning, policy creation, and report generation. You can use it with Policy Editor, Search Controls, Authentication Reports, and Scan Results.
PC - Reports Policy Compliance Previously, posture data for instance-based technologies like Tomcat and Apache HTTP was deleted when OS authentication failed, leading to missing data in reports. Processing a full scan also resulted in the deletion of instances reported via agent middleware when host merging was enabled. Additionally, deleting stale instances in Scan-By-Policy (SBP) required at least one instance in the results, and posture data deletion was limited for some technologies. Relevant code changes have been made to resolve these issues, preventing unnecessary deletions, expanding support for agent middleware, and improving stale instance management.
PC - Feature Request Policy Compliance When the users executed the Policy Compliance report for Active Directory (AD) SDC (System defined Controls), users were able to view incomplete data displayed in the Extended Evidence and Actual result sections. Relevant code changes have been made to resolve the issue. Now, you can view the full extended evidence and actual data in the report.  
PC - Authentication Records Policy Compliance When users edited an MS SQL Server Authentication Record, they entered the member domain details and proceeded to save it. An error asked for IPs, though the expected behavior is to enter either IPs or member domains. Relevant code changes have been made to resolve this issue.
PC-Policy Editor Policy Compliance When the user attempted to copy a control from one technology to another and proceeded to save it, an error was displayed. This was because a single quote was present in the expected value field. Relevant code changes have been made to resolve this issue.
SCA - Reports Policy Compliance When the users executed a Compliance Policy Report by selecting Group By Controls and unchecking the Asset Tag option in the Compliance Policy Report Template, users were able to view the Asset Tag details below each control section in the report. The relevant code changes have been made to resolve this issue. Now you can view the Asset Tag for CSV Reports Only under Group By Control selection instead of Asset Tag.