The Scan tab is where you'll make scan settings like which ports to scan, which QIDs to scan, whether to include authentication, scan performance settings, and more.
Jump to a section below:
|
|
We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of TCP ports unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan by selecting Additional and entering ports in the field provided.
When enabled, the scanning engine performs a 3-way handshake with target hosts. After a connection between the service and the target host is established, the connection will be closed. This option should be enabled only if you have a configuration that does not allow an SYN packet to be followed by an RST packet. Also, when this is enabled, TCP based OS detection is not performed on target hosts. Without TCP based OS detection, the service may not be able to identify the operating system installed on target hosts and perform OS-specific vulnerability checks.
We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of UDP ports unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan by selecting Additional and entering ports in the field provided.
When you choose to do a Full UDP port scan, we'll first determine if this is feasible for your target hosts. For hosts behind a firewall configured to block or drop most UDP packets and for hosts that have a limit on the transmission rate of ICMP Port Unreachable packets (e.g., one ICMP packet per second), full UDP port scanning time will be significantly increased. In these cases, we'll automatically perform a standard scan on the default UDP ports instead of a full scan.
You'll see traffic if the port is being scanned but you may also see traffic for other reasons, such as OS detection, router/firewall detection, path analysis, port mapping analysis, etc. In these cases we may send data to a port without actually scanning it. The list of "ports to scan" only controls scan traffic, not other types of traffic. In many situations we have a need to access a port for reasons that have nothing to do with scanning the port. Ports that do not appear in the list of ports to scan may still receive network traffic during a scan, but that does not mean that they are being scanned.
When enabled, the results from light port scans and scans on customized port lists affect the status for all vulnerabilities on target hosts, not just those detected on the scanned ports. Learn more
Select ports for host discovery (affects scans and maps) on the Additional tab in the option profile. Learn more
Select ports for basic information gathering (affects maps) on the Map tab in the option profile. Learn more
A dead host is a host that is unreachable - it didn't respond to any of our pings. Typically you'd want to avoid wasting time on scanning a dead host. You may choose to scan dead hosts but note that this may substantially increase scan time.
Enable this Option Profile setting to close vulnerabilities or related tickets for hosts that are not found alive after a predefined number of scans. When enabled, we'll mark existing tickets associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed.
Here is an article about it – Best Practice Subscription Maintenance: Opt-In Vulnerability Management Asset Housekeeping Subscription Support Options.
Navigate to Scans-> Option Profiles (Edit Option Profile)-> Scan, to enable/disable.
Notes:
- You must choose Full or Standard options for both TCP Ports and UDP Ports in the same option profile when using this feature. This is because we don't close vulnerabilities for Light scans.
- If you do not see this feature enabled for your subscription, contact your Account Manager or Support to get it.
Enable this Option Profile setting to purge old host data when there is a significant change in the host OS vendor. This option is useful if you have systems that are regularly decommissioned or replaced.
Example: OS changes from Linux to Windows or Debian to Ubuntu. We will not purge the host for an OS version change like Linux 2.8.13 to Linux 2.9.4.
Navigate to Scans-> Option Profiles (Edit Option Profile)-> Scan, to enable/disable.
Find help for this setting here. If you face any discrepancy in host data after setting Purge old host data when OS is changed in Option Profile, read this article.
Note:
- If you do not see this feature enabled for your subscription, contact your Account Manager or Support to get it.
- Recommend this setting to be enabled only for the default Option Profile, where the required authentication record settings are enabled.
Important - Performance settings should only be customized under special circumstances by users with an in-depth knowledge of the target network and available bandwidth resources.
Configure performance settings to fine tune the intensity of your scans. We'll select the performance level "Normal" initially and this is recommended in most cases. Click Configure to change to another performance level. You can also define a custom level - select Custom for Overall Performance and configure the settings. Want to know more? See scan performance settings.
When load balancer detection is enabled in the Scan section, we check each target host to determine if it's a load balancer. When a load balancer is detected, we determine the number of Web servers behind it and report QID #86189 "Presence of a Load-Balancing Device Detected" in your results.
Use Password Brute Forcing to find out how vulnerable your hosts are to password-cracking techniques. Common targets of brute force attacks are hosts running FTP, SSH and Windows. Choose "System" and we'll attempt to guess the password for each detected login ID on each target host scanned. Select the level of brute forcing you prefer with options ranging from "Minimal" to "Exhaustive". Choose "Custom" to configure your own login/password combinations to look for. Learn more
This option is only visible when the feature has been enabled for the subscription by a Manager under Scans > Setup > Max Scan Duration per Asset.
Once enabled for the subscription, you can enable this option in your option profile. Select the option "Set maximum scan duration of <number> minutes per asset" and enter the number of minutes (30 to 2880) for how long you will allow the scan to run on a single asset.
If the scan on a single asset exceeds the maximum duration that you've specified, then the scan on the asset will be aborted and the scan job will continue to the next target. The Scan Status page will list the hosts that exceeded the duration specified in the option profile. Learn more
When you scan a host, the scanner first gathers information about the host and then scans for all vulnerabilities (QIDs) in the KnowledgeBase applicable to the host. This is a Complete vulnerability scan.
Select Custom under Vulnerability Detection if you prefer to limit the scan to a select list of QIDs. Then add search lists with the QIDs you're interested in. For example, you may only want to scan for vulnerabilities related to a specific product, operating system or category.
The "Select at runtime" option allows you to launch a one-time custom scan. At scan time, you'll be prompted to select vulnerabilities to include in the scan. The list of vulnerabilities is not saved in the profile and this option cannot be used for scheduled scans.
Basic host information checks look for things like DNS hostname, NetBIOS hostname and operating system. Once we have this information for a host we show it in your scan reports, on the host assets list, in remediation tickets, and so on. These types of checks are always included in Complete scans. But if you're performing a Custom scan, you must select this option in the profile or we won't check for this basic host information.
To scan OVAL checks, use search lists in the Vulnerability Detection section, as described below. Note that you must also enable Windows authentication in the same option profile. Not sure how to get started? Learn more
To scan all OVAL vulnerabilities: add a search list that has QID 105186, and select the option "OVAL checks" in the Include section.
To scan only select OVAL vulnerabilities: add a search list that has the specific OVAL QIDs you want to test plus QID 105186.
About QID 105186: QID 105186 "Errors During Execution of User-Provided Detections" is a diagnostic QID that will provide important information about OVAL detections like errors reported and will help you if OVAL detection fails.
Can I use the Complete option? Yes, you can use "Complete" vulnerability detection along with "OVAL checks" to scan for all OVAL vulnerabilities but QID 105186 will not be included in the scan. This is why we suggest you use search lists.
Select the Excluded QIDs option and add one or more search lists with the QIDs you're not interested in. The scan engine will consider this list at scan time and exclude them if possible. It’s important to understand that the exclude QIDs option is not intended as a traffic blocking mechanism. This option is provided to help reduce scan time for scans in which the customer is only interested in certain QIDs.
There’s not always a one-to-one correspondence between a check (scan traffic you may see on the wire) and a QID. Many checks are directly associated with QIDs but not all of them. Checks for excluded QIDs may still run and cause related network traffic. The data required for a QID is collected from multiple places at scan time and we may not know at the start of the scan which checks are required for the QIDs included in the scan, so we may perform checks for QIDs that you excluded.
Intrusive checks are by default excluded from scans unless you take action to include them. You must explicitly include Intrusive checks, even if they are included in a custom Search List. Some remote vulnerabilities can only be effectively detected by attempting to compromise the vulnerability. Qualys attempts to ensure that any compromise attempted is benign, however this cannot be guaranteed.
Intrusive checks may leave the remote system in an unstable state. Intrusive QIDs will only be included in a scan if you select the setting "Do not exclude Intrusive checks" in the scan option profile. Note that you will see a warning in the UI when this option is selected at the time you save the option profile. This will allow you to go back and change the setting if it was set unintentionally.
Using authentication enables our scanner to remotely log in to your system with credentials that you provide, and because we're logged in we can do more thorough testing.
You must set up authentication records for your technologies before you scan with authentication. Go to Scans > Authentication to create records.
In the option profile, choose the types of authentication you want to perform (Windows, Unix, Oracle, etc). Not sure how to get started? Learn more
Enable Unix authentication and then select this option to use the least privileges required for Unix authentication. When selected, the scanner will not pass root delegation information specified in the Unix record to the scanner for vulnerability scans, and thus the scanner will not perform checks with elevated root privileges that are not required. Learn more
Check this option to run a quick, custom scan to test if authentication to target hosts is successful. This way you can identify issues with authentication credentials before running a full scan. The Appendix section of your Scan Results report lists hosts that passed/failed authentication. You'll also see the custom list of QIDs included in the scan.
When you choose Test Authentication, you’ll notice that these options are also enabled:
- all authentication types (you can clear any you’re not interested in but must keep at least one)
- Complete vulnerability detection (but we’re only scanning a custom list of QIDs)
- Standard Scan for TCP/UDP ports (you can switch to another option except None)
Do you have a Pay Per Scan account? A scan with Test Authentication enabled will not count against the number of available scans in your account.
When you enable the additional certificate detection option on the Scan tab, certificates are detected in more locations on your hosts. This option enables you to look for the certificates beyond the traditional ports only.
The Dissolvable Agent (Agent) is required for certain scan features (like Windows Share Enumeration). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent".
How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.
Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files in each share and whether the files are writable. This is good for identifying groups of files that may need tighter access control. This security test is performed using QID 90635.
Please be sure these configurations are enabled: 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined. Learn more
Select the Enable lite OS detection option in your option profile. When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected. Learn more
You can add a specific HTTP header value to scans in order to drop defenses (such as logging, IPs, etc) when authorized scans are being run. This value will be used in the "Qualys-Scan:" header that will be set for many CGI and Web Application fingerprinting checks. Some discovery and Web Server fingerprinting checks will not use this header. Note the header is sent in plain text and should consequently not be the sole mechanism for bypassing security controls.
This option allows you to run a quick scan to determine which of your target hosts are alive without also performing other scan tests. The Appendix section of your Scan Results report will list the hosts that are alive and hosts that are not alive. Note that you may see some Information Gathered QIDs in the results for hosts found alive.
When this option is selected, we will not update the operating system for your target hosts. This is especially useful if you're running a light or custom scan and you don't want to overwrite the OS detected by the previous scan.