Configure Your Scan Option Profile

You choose an option profile every time you start a scan or map. The profile defines the settings you want to use. We recommend you create profiles with custom settings for different types of scans. For example, you may want a profile for light port scans or a profile that only looks for Microsoft security updates.

How do I make the profile available to others?

Want to purge hosts when the OS changes?

Tell me about the default profile

Password Brute Forcing

How do I change the owner?

Tell me about the dissolvable agent

Select ports to scan

Windows Share Enumeration

Why do I see traffic on ports that are not in my list of ports to scan?

Want to run a lite OS scan?

Select QIDs to scan

Do not overwrite OS

How do I exclude QIDs from my scans?

How to add a custom HTTP header

Enable authentication

How to run a host alive test

Test authentication

Want to detect load balancers?

Want to detect additional certificates?

Perform live host sweep for maps

Tell me about performance settings

Ignore certain packets

Want to scan dead hosts?

Worried about triggering your IDS?

Want to close vulnerabilities on dead hosts?

Can I edit PCI settings?


How do I make the profile available to others?

Make it global. Global profiles created by Managers are made available to all users in the subscription. Global profiles created by Unit Managers are made available to all users in their business unit. If a user has permission to create option profiles, then the user also has permission to save personal copies of global profiles published by their Managers in order to use them as a base-line for new option profiles.

Tell me about the default profile

It's best practice to apply the same set of options across scan tasks to ensure compliance with corporate security policies and accurate trend reporting. A default option profile is defined for this reason. The service provides an initial default option profile called "Initial Options" which may be customized and renamed. There is one default profile for the subscription. Any Manager can select a new profile as the default.

How do I change the owner?

The user who creates a profile is set as the initial owner. Managers and Unit Managers can edit a profile in order to change the owner. The possible assignees listed in the Owner menu depends on the global status of the profile, the role of the manager making the change, and the current owner's role and business unit.

Global Option Profile

Non-Global Option Profile

Conflicts with Scheduled Tasks

Select ports to scan

We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of ports (TCP and UDP) unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan.

Perform 3 way Handshake

Authoritative scan option

Full UDP port scan may not be feasible

Select ports for host discovery (scans and maps)

Select ports for basic information gathering (maps only)

Tell me about ports that are always scanned for a map

Destination ports in the TCP SYN packets

Why do I see traffic on ports that are not in my list of ports to scan?

You'll see traffic if the port is being scanned but you may also see traffic for other reasons, such as OS detection, router/firewall detection, path analysis, port mapping analysis, etc. In these cases we may send data to a port without actually scanning it. The list of "ports to scan" only controls scan traffic, not other types of traffic. In many situations we have a need to access a port for reasons that have nothing to do with scanning the port. Ports that do not appear in the list of ports to scan may still receive network traffic during a scan, but that does not mean that they are being scanned.

Select QIDs to scan

When you scan a host, the scanner first gathers information about the host and then scans for all vulnerabilities (QIDs) in the KnowledgeBase applicable to the host. This is a complete vulnerability scan. Select Custom under Vulnerability Detection if you prefer to limit the scan to a select list of QIDs. Then add search lists with the QIDs you're interested in. For example, you may only want to scan for vulnerabilities related to a specific product, operating system or category.

Basic host information checks

Select at Runtime

How do I scan OVAL vulnerabilities?

How do I exclude QIDs from my scans?

Select the Excluded QIDs option and add one or more search lists with the QIDs you're not interested in. The scan engine will consider this list at scan time and exclude them if possible. It’s important to understand that the exclude QIDs option is not intended as a traffic blocking mechanism. This option is provided to help reduce scan time for scans in which the customer is only interested in certain QIDs.  

Why do I still see scan traffic for QIDs that were excluded? There’s not always a one-to-one correspondence between a check (scan traffic you may see on the wire) and a QID. Many checks are directly associated with QIDs but not all of them. Checks for excluded QIDs may still run and cause related network traffic. The data required for a QID is collected from multiple places at scan time and we may not know at the start of the scan which checks are required for the QIDs included in the scan, so we may perform checks for QIDs that you excluded.

Enable authentication

Using authentication enables our scanner to remotely log in to your system with credentials that you provide, and because we're logged in we can do more thorough testing. Be sure to set up authentication records for your technologies before you scan. Choose the types of authentication you want to perform (Windows, Unix, Oracle, etc). Not sure how to get started? Learn more

The Map section provides these authentication options:

vCenter authentication for ESX/ESXi host discovery - Select this option to create a vCenter map. You'll need vCenter map data to scan ESXi hosts using vCenter. vCenter authentication is required. Be sure to set up vCenter authentication records under Scans > Authentication. Learn more

ESX/ESXi authentication for guest discovery - Select this option to retrieve a list of virtual guest hosts residing on a VMware server. VMware authentication is required. Be sure to set up VMware authentication records under Scans > Authentication. Learn more

Test authentication

Check this option to run a quick, custom scan to test if authentication to target hosts is successful. This way you can identify issues with authentication credentials before running a full scan. The Appendix section of your Scan Results report lists hosts that passed/failed authentication. You'll also see the custom list of QIDs included in the scan.

When you choose Test Authentication, you’ll notice that these options are also enabled:
- all authentication types (you can clear any you’re not interested in but must keep at least one)
- Complete vulnerability detection (but we’re only scanning a custom list of QIDs)
- Standard Scan for TCP/UDP ports (you can switch to another option except None)

Do you have a Pay Per Scan account? A scan with Test Authentication enabled will not count against the number of available scans in your account.

Want to detect additional certificates?

With the additional certificate detection enabled in the Scan tab, certificates are detected in more locations on your hosts. This option enables you to look for the certificates beyond the traditional ports only.

Tell me about performance settings

Use performance settings to fine tune the intensity of your scans. We'll select the performance level Normal initially and this is recommended in most cases. Click Configure if you want to change to another level. You can define a custom level - select Custom for Overall Performance and configure the settings. Want to know more? See scan performance settings and map performance settings.  

External Scanners to use: You can restrict the number of external scanners to be used for associated scans. This setting is visible only if you have multiple external scanners in your subscription. For example, if you have 10 external scanners in your subscription, you can configure this setting to any number between 1 to 10.

Want to detect load balancers?

When load balancer detection is enabled in the Scan section, we check each target host to determine if it's a load balancer. When a load balancer is detected, we determine the number of Web servers behind it and report QID #86189 "Presence of a Load-Balancing Device Detected" in your results.

Want to scan dead hosts?

A dead host is a host that is unreachable - it didn't respond to any of our pings. Typically you'd want to avoid wasting time on scanning a dead host. You may choose to scan dead hosts but note that this may substantially increase scan time.

Want to close vulnerabilities on dead hosts?

Quickly close vulnerabilities for hosts that are not found alive after a set number of scans. When enabled, we'll mark existing tickets associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed. (This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.)

Want to purge hosts when the OS is changed?

This option is useful if you have systems that are regularly decommissioned or replaced. When enabled, we'll purge a host if we detect a change in the host's operating system vendor, for example the OS changes from Linux to Windows or Debian to Ubuntu. We will not purge the host for an OS version change like Linux 2.8.13 to Linux 2.9.4. (This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.)

Password Brute Forcing

Use Password Brute Forcing to find out how vulnerable your hosts are to password-cracking techniques. Common targets of brute force attacks are hosts running FTP, SSH and Windows. Choose "System" and we'll attempt to guess the password for each detected login ID on each target host scanned. Select the level of brute forcing you prefer with options ranging from "Minimal" to "Exhaustive". Choose "Custom" to configure your own login/password combinations to look for. Learn more

Tell me about the dissolvable agent

The Dissolvable Agent (Agent) is required for certain scan features (like Windows Share Enumeration). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent". How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Windows Share Enumeration

Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files in each share and whether the files are writable. This is good for identifying groups of files that may need tighter access control. This security test is performed using QID 90635. Please be sure these configurations are enabled: 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined. Learn more

Want to run a lite OS scan?

Select the Enable lite OS detection option in your option profile. When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected. Learn more

Do not overwrite host OS

When selected, we will not update the operating system for your target hosts. This is especially useful if you're running a light or custom scan and you don't want to overwrite the OS detected by the previous scan.

How to add a custom HTTP header value

You can add a specific HTTP header value to scans in order to drop defenses (such as logging, IPs, etc) when authorized scans are being run. This value will be used in the "Qualys-Scan:" header that will be set for many CGI and Web Application fingerprinting checks. Some discovery and Web Server fingerprinting checks will not use this header. Note the header is sent in plain text and should consequently not be the sole mechanism for bypassing security controls.

How to run a host alive test

This option allows you to run a quick scan to determine which of your target hosts are alive without also performing other scan tests. The Appendix section of your Scan Results report will list the hosts that are alive and hosts that are not alive. Note that you may see some Information Gathered QIDs in the results for hosts found alive.

Perform live host sweep for maps

During a map, we must first determine which hosts are alive. We ping every host within the target domain's netblock using ICMP, TCP and UDP probes. TCP and UDP probes are sent to default ports for common services, such as DNS, TELNET, SMTP, HTTP and SNMP. If these probes trigger at least one response from the host, the host is considered alive and is reported on. You have the option to disable the live host sweep to only discover devices using DNS discovery methods (DNS, Reverse DNS and DNS Zone Transfer.) Active probes will not be sent. As a result, we may not be able to detect all hosts in the netblock, and undetected hosts will not be analyzed.

Ignore certain packets

If you want to ignore certain packets enable packet options in the Additional section:

Ignore Firewall-Generated TCP RST Packets

Ignore All TCP RST Packets (maps only)

Ignore firewall-generated SYN-ACK packets

Do not send ACK or SYN-ACK packets during host discovery

Worried about triggering your IDS?

If our scan triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. Go to the Blocked Resources section and select the ports that are blocked and IP addresses that are protected by your firewall/IDS.

Other options to consider

Can I edit PCI settings?

Yes. There are limited scan settings that can be edited in PCI option profiles. Managers have permission to edit the service provided profile called "Payment Card Industry (PCI) Options" which is optimized for PCI external scans. Users can also create custom PCI option profiles from the New menu. Learn more