Option Profile Title Tab Scan Tab Map Tab System Authentication Tab Additional Tab 

VM Option Profile: Scan

The Scan tab is where you'll make scan settings like which ports to scan, which QIDs to scan, whether to include authentication, scan performance settings, and more.

Jump to a section below: 

Ports

Authentication

Scan Dead Hosts

Test Authentication

Close Vulnerabilities on Dead Hosts

Additional Certificate Detection

Purge old host data when OS is changed

Dissolvable Agent

Performance

Lite OS Scan

Load Balancer Detection

Add a Custom HTTP Header value

Password Brute Forcing

Host-Alive Testing

Vulnerability Detection

Do not overwrite OS

 


Ports

TCP Ports

We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of TCP ports unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan by selecting Additional and entering ports in the field provided. 

Perform 3-way Handshake

When enabled, the scanning engine performs a 3-way handshake with target hosts. After a connection between the service and the target host is established, the connection will be closed. This option should be enabled only if you have a configuration that does not allow an SYN packet to be followed by an RST packet. Also, when this is enabled, TCP based OS detection is not performed on target hosts. Without TCP based OS detection, the service may not be able to identify the operating system installed on target hosts and perform OS-specific vulnerability checks.

UDP Ports

We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of UDP ports unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan by selecting Additional and entering ports in the field provided. 

Full UDP port scan may not be feasible

When you choose to do a Full UDP port scan, we'll first determine if this is feasible for your target hosts. For hosts behind a firewall configured to block or drop most UDP packets and for hosts that have a limit on the transmission rate of ICMP Port Unreachable packets (e.g., one ICMP packet per second), full UDP port scanning time will be significantly increased. In these cases, we'll automatically perform a standard scan on the default UDP ports instead of a full scan.

Why do I see traffic on ports that are not in my list of ports to scan?

You'll see traffic if the port is being scanned but you may also see traffic for other reasons, such as OS detection, router/firewall detection, path analysis, port mapping analysis, etc. In these cases we may send data to a port without actually scanning it. The list of "ports to scan" only controls scan traffic, not other types of traffic. In many situations we have a need to access a port for reasons that have nothing to do with scanning the port. Ports that do not appear in the list of ports to scan may still receive network traffic during a scan, but that does not mean that they are being scanned.

Authoritative Option for light scans 

When enabled, the results from light port scans and scans on customized port lists affect the status for all vulnerabilities on target hosts, not just those detected on the scanned ports. Learn more

Other Port Options

Select ports for host discovery (affects scans and maps) on the Additional tab in the option profile. Learn more

Select ports for basic information gathering (affects maps) on the Map tab in the option profile. Learn more


Scan Dead Hosts 

A dead host is a host that is unreachable - it didn't respond to any of our pings. Typically you'd want to avoid wasting time on scanning a dead host. You may choose to scan dead hosts but note that this may substantially increase scan time.


Close Vulnerabilities on Dead Hosts 

Quickly close vulnerabilities for hosts that are not found alive after a set number of scans. When enabled, we'll mark existing tickets associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed.

Notes:

- You must choose Full or Standard options for both TCP Ports and UDP Ports in the same option profile when using this feature. This is because we don't close vulnerabilities for Light scans.

- This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.


Purge old host data when OS is changed 

Note - This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.

This option is useful if you have systems that are regularly decommissioned or replaced. When enabled, we'll purge a host if we detect a change in the host's operating system vendor, for example the OS changes from Linux to Windows or Debian to Ubuntu. We will not purge the host for an OS version change like Linux 2.8.13 to Linux 2.9.4.


Performance 

Important - Performance settings should only be customized under special circumstances by users with an in-depth knowledge of the target network and available bandwidth resources.

Configure performance settings to fine tune the intensity of your scans. We'll select the performance level "Normal" initially and this is recommended in most cases. Click Configure to change to another performance level. You can also define a custom level - select Custom for Overall Performance and configure the settings. Want to know more? See scan performance settings.


Load Balancer Detection 

When load balancer detection is enabled in the Scan section, we check each target host to determine if it's a load balancer. When a load balancer is detected, we determine the number of Web servers behind it and report QID #86189 "Presence of a Load-Balancing Device Detected" in your results.


Password Brute Forcing 

Use Password Brute Forcing to find out how vulnerable your hosts are to password-cracking techniques. Common targets of brute force attacks are hosts running FTP, SSH and Windows. Choose "System" and we'll attempt to guess the password for each detected login ID on each target host scanned. Select the level of brute forcing you prefer with options ranging from "Minimal" to "Exhaustive". Choose "Custom" to configure your own login/password combinations to look for. Learn more


Vulnerability Detection 

Complete

When you scan a host, the scanner first gathers information about the host and then scans for all vulnerabilities (QIDs) in the KnowledgeBase applicable to the host. This is a Complete vulnerability scan.

Custom

Select Custom under Vulnerability Detection if you prefer to limit the scan to a select list of QIDs. Then add search lists with the QIDs you're interested in. For example, you may only want to scan for vulnerabilities related to a specific product, operating system or category.

Select at runtime 

The "Select at runtime" option allows you to launch a one-time custom scan. At scan time, you'll be prompted to select vulnerabilities to include in the scan. The list of vulnerabilities is not saved in the profile and this option cannot be used for scheduled scans.

Basic host information checks 

Basic host information checks look for things like DNS hostname, NetBIOS hostname and operating system. Once we have this information for a host we show it in your scan reports, on the host assets list, in remediation tickets, and so on. These types of checks are always included in Complete scans. But if you're performing a Custom scan, you must select this option in the profile or we won't check for this basic host information.

OVAL checks 

To scan OVAL checks, use search lists in the Vulnerability Detection section, as described below. Note that you must also enable Windows authentication in the same option profile. Not sure how to get started? Learn more

To scan all OVAL vulnerabilities: add a search list that has QID 105186, and select the option "OVAL checks" in the Include section.

To scan only select OVAL vulnerabilities: add a search list that has the specific OVAL QIDs you want to test plus QID 105186.

About QID 105186: QID 105186 "Errors During Execution of User-Provided Detections" is a diagnostic QID that will provide important information about OVAL detections like errors reported and will help you if OVAL detection fails.

Can I use the Complete option? Yes, you can use "Complete" vulnerability detection along with "OVAL checks" to scan for all OVAL vulnerabilities but QID 105186 will not be included in the scan. This is why we suggest you use search lists.

Exclude QIDs  

Select the Excluded QIDs option and add one or more search lists with the QIDs you're not interested in. The scan engine will consider this list at scan time and exclude them if possible. It’s important to understand that the exclude QIDs option is not intended as a traffic blocking mechanism. This option is provided to help reduce scan time for scans in which the customer is only interested in certain QIDs.  

Why do I still see scan traffic for QIDs that were excluded?

There’s not always a one-to-one correspondence between a check (scan traffic you may see on the wire) and a QID. Many checks are directly associated with QIDs but not all of them. Checks for excluded QIDs may still run and cause related network traffic. The data required for a QID is collected from multiple places at scan time and we may not know at the start of the scan which checks are required for the QIDs included in the scan, so we may perform checks for QIDs that you excluded.

Intrusive Checks 

Intrusive checks are by default excluded from scans unless you take action to include them. You must explicitly include Intrusive checks, even if they are included in a custom Search List. Some remote vulnerabilities can only be effectively detected by attempting to compromise the vulnerability. Qualys attempts to ensure that any compromise attempted is benign, however this cannot be guaranteed.  

Intrusive checks may leave the remote system in an unstable state. Intrusive QIDs will only be included in a scan if you select the setting "Do not exclude Intrusive checks" in the scan option profile. Note that you will see a warning in the UI when this option is selected at the time you save the option profile. This will allow you to go back and change the setting if it was set unintentionally.


Authentication 

Using authentication enables our scanner to remotely log in to your system with credentials that you provide, and because we're logged in we can do more thorough testing.

You must set up authentication records for your technologies before you scan with authentication. Go to Scans > Authentication to create records.

In the option profile, choose the types of authentication you want to perform (Windows, Unix, Oracle, etc). Not sure how to get started? Learn more


Test Authentication 

Check this option to run a quick, custom scan to test if authentication to target hosts is successful. This way you can identify issues with authentication credentials before running a full scan. The Appendix section of your Scan Results report lists hosts that passed/failed authentication. You'll also see the custom list of QIDs included in the scan.

When you choose Test Authentication, you’ll notice that these options are also enabled:

- all authentication types (you can clear any you’re not interested in but must keep at least one)

- Complete vulnerability detection (but we’re only scanning a custom list of QIDs)

- Standard Scan for TCP/UDP ports (you can switch to another option except None)

Do you have a Pay Per Scan account? A scan with Test Authentication enabled will not count against the number of available scans in your account.


Additional Certificate Detection 

When you enable the additional certificate detection option on the Scan tab, certificates are detected in more locations on your hosts. This option enables you to look for the certificates beyond the traditional ports only.


Dissolvable Agent 

Enable the Dissolvable Agent

The Dissolvable Agent (Agent) is required for certain scan features (like Windows Share Enumeration). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent".

How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Enable Windows Share Enumeration 

Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files in each share and whether the files are writable. This is good for identifying groups of files that may need tighter access control. This security test is performed using QID 90635.

Please be sure these configurations are enabled: 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined. Learn more


Lite OS Scan 

Select the Enable lite OS detection option in your option profile. When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected. Learn more


Add a Custom HTTP Header value 

You can add a specific HTTP header value to scans in order to drop defenses (such as logging, IPs, etc) when authorized scans are being run. This value will be used in the "Qualys-Scan:" header that will be set for many CGI and Web Application fingerprinting checks. Some discovery and Web Server fingerprinting checks will not use this header. Note the header is sent in plain text and should consequently not be the sole mechanism for bypassing security controls.


Host-Alive Testing 

This option allows you to run a quick scan to determine which of your target hosts are alive without also performing other scan tests. The Appendix section of your Scan Results report will list the hosts that are alive and hosts that are not alive. Note that you may see some Information Gathered QIDs in the results for hosts found alive.


Do not overwrite OS

When this option is selected, we will not update the operating system for your target hosts. This is especially useful if you're running a light or custom scan and you don't want to overwrite the OS detected by the previous scan.