Configure Your Scan Option Profile

You choose an option profile every time you start a scan or map. The profile defines the settings you want to use. We recommend you create profiles with custom settings for different types of scans. For example, you may want a profile for light port scans or a profile that only looks for Microsoft security updates.

How do I make the profile available to others?

Want to purge hosts when the OS changes?

Tell me about the default profile

Password Brute Forcing

How do I change the owner?

Tell me about the dissolvable agent

Select ports to scan

Windows Share Enumeration

Why do I see traffic on ports that are not in my list of ports to scan?

Want to run a lite OS scan?

Select QIDs to scan

Do not overwrite OS

How do I exclude QIDs from my scans?

How to add a custom HTTP header

How do I include intrusive QIDs in my scan?

How to run a host alive test

Enable authentication

Want to detect load balancers?

Test authentication

Perform live host sweep for maps

Want to detect additional certificates?

Ignore certain packets

Tell me about performance settings

Worried about triggering your IDS?

Want to scan dead hosts?

Can I edit PCI settings?

Want to close vulnerabilities on dead hosts?

 


How do I make the profile available to others?

Make it global. Global profiles created by Managers are made available to all users in the subscription. Global profiles created by Unit Managers are made available to all users in their business unit. If a user has permission to create option profiles, then the user also has permission to save personal copies of global profiles published by their Managers in order to use them as a base-line for new option profiles.

Tell me about the default profile

It's best practice to apply the same set of options across scan tasks to ensure compliance with corporate security policies and accurate trend reporting. A default option profile is defined for this reason. The service provides an initial default option profile called "Initial Options" which may be customized and renamed. There is one default profile for the subscription. Any Manager can select a new profile as the default by editing the profile and checking the option "Set this as the default option profile when launching maps and scans". Note that this option only applies to VM option profiles. 

How do I change the owner?

The user who creates a profile is set as the initial owner. Managers and Unit Managers can edit a profile in order to change the owner. The possible assignees listed in the Owner menu depends on the global status of the profile, the role of the manager making the change, and the current owner's role and business unit.

Global Option ProfileGlobal Option Profile

Global option profiles may be owned by Managers and Unit Managers.

User Taking Action

Current Owner

Possible New Owner

Manager

Manager in the Unassigned business unit

Manager in the Unassigned business unit

Manager

Unit Manager in a custom business unit

Manager in the Unassigned business unit
- or -
Unit Manager in the same business unit as the current owner

Unit Manager

Unit Manager in a custom business unit

Unit Manager in the same business unit as the current owner

 

Non-Global Option ProfileNon-Global Option Profile

Non-global option profiles may be owned by Managers, Unit Managers and Scanners.

User Taking Action

Current Owner

Possible New Owner

Manager

Manager or Scanner in the Unassigned business unit

Manager or Scanner in the Unassigned business unit

Manager

Unit Manager or Scanner in a custom business unit

Manager in the Unassigned business unit
- or -
Unit Manager or Scanner in the same business unit as the current owner

Unit Manager

Unit Manager or Scanner in a custom business unit

Unit Manager or Scanner in the same business unit as the current owner

 

Conflicts with Scheduled TasksConflicts with Scheduled Tasks

Changing the owner may lead to conflicts with scheduled tasks. Conflicts occur when an option profile is no longer available to the owner of a scheduled task that uses the profile. When you save the profile with the new owner you'll get a report listing the schedules that have conflicts so that you can go and edit them. If a schedule is left without a valid profile then it will be deactivated before the next scheduled run time and the task owner will be notified.

Tip: If you're changing the owner to a Manager or Unit Manager, then you may consider making the option profile global before making the change. This way you can avoid conflicts and allow users to continue using the profile.

Select ports to scan

We use ports to send packets to the host in order to determine whether the host is alive and also to do fingerprinting for the discovery of services. We will scan the standard list of ports (TCP and UDP) unless you choose a different option in the profile. Select Full to scan all ports or Light Scan to scan fewer ports. You can also add a custom list of ports to scan.

Perform 3 way HandshakePerform 3 way Handshake

When enabled, the scanning engine performs a 3-way handshake with target hosts. After a connection between the service and the target host is established, the connection will be closed. This option should be enabled only if you have a configuration that does not allow an SYN packet to be followed by an RST packet. Also, when this is enabled, TCP based OS detection is not performed on target hosts. Without TCP based OS detection, the service may not be able to identify the operating system installed on target hosts and perform OS-specific vulnerability checks.

Authoritative scan optionAuthoritative scan option

When enabled, the results from light port scans and scans on customized port lists affect the status for all vulnerabilities on target hosts, not just those detected on the scanned ports. Learn more

Full UDP port scan may not be feasibleFull UDP port scan may not be feasible

When you choose to do a full UDP port scan, we'll first determine if this is feasible for your target hosts. For hosts behind a firewall configured to block or drop most UDP packets and for hosts that have a limit on the transmission rate of ICMP Port Unreachable packets (e.g., one ICMP packet per second), full UDP port scanning time will be significantly increased. In these cases, we'll automatically perform a standard scan on the default UDP ports instead of a full scan.

Select ports for host discovery (scans and maps)Select ports for host discovery (scans and maps)

Go to the Additional section to select which probes are sent and which ports are scanned during host discovery. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are "alive". By changing the default settings the service may not detect all live hosts and hosts that go undetected cannot be scanned for vulnerabilities. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.

Select ports for basic information gathering (maps only)Select ports for basic information gathering (maps only)

Go to the Map section to select which hosts and ports to scan for basic information gathering during maps.

How does it work? Additional scan tests are launched, which may result in the detection of additional devices, such as routers. We attempt to identify the operating system installed on each host and we scan ports to determine which ports are open. We also send UDP packets to UDP port 1 and a random port for path discovery.

Which hosts are scanned? This depends on your selection under "Perform Basic Information Gathering on". All Hosts includes every host detected during the mapping process. Registered Hosts includes hosts in your account. Netblock Hosts includes hosts in the netblock for the mapped domain.

Tell me about ports that are always scanned for a mapTell me about ports that are always scanned for a map

Ports 80 and 88 are scanned by default even if you clear all port options in the Map and Additional sections of the option profile. The scanner sends a TCP SYN packet (with the port as the destination port) as well as TCP ACK and TCP SYN+ACK packets. So even if you've cleared (unchecked) all ports, you will still see TCP SYN, TCP ACK and TCP SYN+ACK packets for ports 80 and 88.

Destination ports in the TCP SYN packetsDestination ports in the TCP SYN packets

During host discovery, in addition to the TCP SYN packets that are sent to the following ports: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 443, 445 and 5631, by default, the service also sends:

- TCP ACK packet with a source port of 80 and a destination port of 2869

- TCP ACK packet with a source port of 25 and a destination port of 12531

- TCP SYN+ACK packet with a source port of 80 and a destination port of 41641

If you don't want these packets sent, select the "Do not send TCP ACK or SYN-ACK packets during host discovery" check box under Packet Options on the Additional tab in the option profile.

Why do I see traffic on ports that are not in my list of ports to scan?

You'll see traffic if the port is being scanned but you may also see traffic for other reasons, such as OS detection, router/firewall detection, path analysis, port mapping analysis, etc. In these cases we may send data to a port without actually scanning it. The list of "ports to scan" only controls scan traffic, not other types of traffic. In many situations we have a need to access a port for reasons that have nothing to do with scanning the port. Ports that do not appear in the list of ports to scan may still receive network traffic during a scan, but that does not mean that they are being scanned.

Select QIDs to scan

When you scan a host, the scanner first gathers information about the host and then scans for all vulnerabilities (QIDs) in the KnowledgeBase applicable to the host. This is a complete vulnerability scan. Select Custom under Vulnerability Detection if you prefer to limit the scan to a select list of QIDs. Then add search lists with the QIDs you're interested in. For example, you may only want to scan for vulnerabilities related to a specific product, operating system or category.

Basic host information checksBasic host information checks

Basic host information checks look for things like DNS hostname, NetBIOS hostname and operating system. Once we have this information for a host we show it in your scan reports, on the host assets list, in remediation tickets, and so on. These types of checks are always included in Complete scans. But if you're performing a Custom scan, you must select this option in the profile or we won't check for this basic host information.

Select at RuntimeSelect at Runtime

The runtime option allows you to launch a one-time custom scan. At scan time, you'll be prompted to select vulnerabilities to include in the scan. The list of vulnerabilities is not saved in the profile and this option cannot be used for scheduled scans.

How do I scan OVAL vulnerabilities?How do I scan OVAL vulnerabilities?

Use search lists in the Vulnerability Detection section, as described below. Note that you must also enable Windows authentication in the same profile. Not sure how to get started? Learn more

To scan all OVAL vulnerabilities: add a search list that has QID 105186, and select the check box "OVAL checks" in the Include section.

To scan select OVAL vulnerabilities: add a search list that has the specific OVAL QIDs you want to test plus QID 105186.

Tell me about QID 105186Tell me about QID 105186

QID 105186 "Errors During Execution of User-Provided Detections" is a diagnostic QID that will provide important information about OVAL detections like errors reported and will help you if OVAL detection fails.

Can I use the Complete option?Can I use the Complete option?

Yes, you can use "Complete" along with "OVAL checks" to scan for all OVAL vulnerabilities but QID 105186 will not be included in the scan. This is why we suggest you use search lists.

How do I exclude QIDs from my scans?

Select the Excluded QIDs option and add one or more search lists with the QIDs you're not interested in. The scan engine will consider this list at scan time and exclude them if possible. It’s important to understand that the exclude QIDs option is not intended as a traffic blocking mechanism. This option is provided to help reduce scan time for scans in which the customer is only interested in certain QIDs.  

Why do I still see scan traffic for QIDs that were excluded? There’s not always a one-to-one correspondence between a check (scan traffic you may see on the wire) and a QID. Many checks are directly associated with QIDs but not all of them. Checks for excluded QIDs may still run and cause related network traffic. The data required for a QID is collected from multiple places at scan time and we may not know at the start of the scan which checks are required for the QIDs included in the scan, so we may perform checks for QIDs that you excluded.

How do I include intrusive QIDs in my scan?

Intrusive checks are by default excluded from scans unless you take action to include them. You must explicitly include Intrusive checks, even if they are included in a custom Search List. Some remote vulnerabilities can only be effectively detected by attempting to compromise the vulnerability. Qualys attempts to ensure that any compromise attempted is benign, however this cannot be guaranteed.  Intrusive checks may leave the remote system in an unstable state.

Intrusive QIDs will only be included in a scan if you select the setting "Do not exclude Intrusive checks" in the scan option profile. Note that you will see a warning in the UI when this option is selected at the time you save the option profile. This will allow you to go back and change the setting if it was set unintentionally.

Enable authentication

Using authentication enables our scanner to remotely log in to your system with credentials that you provide, and because we're logged in we can do more thorough testing. Be sure to set up authentication records for your technologies before you scan. Choose the types of authentication you want to perform (Windows, Unix, Oracle, etc). Not sure how to get started? Learn more

The Map section provides these authentication options:

vCenter authentication for ESX/ESXi host discovery - Select this option to create a vCenter map. You'll need vCenter map data to scan ESXi hosts using vCenter. vCenter authentication is required. Be sure to set up vCenter authentication records under Scans > Authentication. Learn more

ESX/ESXi authentication for guest discovery - Select this option to retrieve a list of virtual guest hosts residing on a VMware server. VMware authentication is required. Be sure to set up VMware authentication records under Scans > Authentication. Learn more

Test authentication

Check this option to run a quick, custom scan to test if authentication to target hosts is successful. This way you can identify issues with authentication credentials before running a full scan. The Appendix section of your Scan Results report lists hosts that passed/failed authentication. You'll also see the custom list of QIDs included in the scan.

When you choose Test Authentication, you’ll notice that these options are also enabled:
- all authentication types (you can clear any you’re not interested in but must keep at least one)
- Complete vulnerability detection (but we’re only scanning a custom list of QIDs)
- Standard Scan for TCP/UDP ports (you can switch to another option except None)

Do you have a Pay Per Scan account? A scan with Test Authentication enabled will not count against the number of available scans in your account.

Want to detect additional certificates?

With the additional certificate detection enabled in the Scan tab, certificates are detected in more locations on your hosts. This option enables you to look for the certificates beyond the traditional ports only.

Tell me about performance settings

Use performance settings to fine tune the intensity of your scans. We'll select the performance level Normal initially and this is recommended in most cases. Click Configure if you want to change to another level. You can define a custom level - select Custom for Overall Performance and configure the settings. Want to know more? See scan performance settings and map performance settings.  

External Scanners to use: You can restrict the number of external scanners to be used for associated scans. This setting is visible only if you have multiple external scanners in your subscription. For example, if you have 10 external scanners in your subscription, you can configure this setting to any number between 1 to 10.

Want to detect load balancers?

When load balancer detection is enabled in the Scan section, we check each target host to determine if it's a load balancer. When a load balancer is detected, we determine the number of Web servers behind it and report QID #86189 "Presence of a Load-Balancing Device Detected" in your results.

Want to scan dead hosts?

A dead host is a host that is unreachable - it didn't respond to any of our pings. Typically you'd want to avoid wasting time on scanning a dead host. You may choose to scan dead hosts but note that this may substantially increase scan time.

Want to close vulnerabilities on dead hosts?

Quickly close vulnerabilities for hosts that are not found alive after a set number of scans. When enabled, we'll mark existing tickets associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed. (This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.)

Want to purge hosts when the OS is changed?

This option is useful if you have systems that are regularly decommissioned or replaced. When enabled, we'll purge a host if we detect a change in the host's operating system vendor, for example the OS changes from Linux to Windows or Debian to Ubuntu. We will not purge the host for an OS version change like Linux 2.8.13 to Linux 2.9.4. (This feature must be enabled for your subscription. Contact your Account Manager or Support to get it.)

Password Brute Forcing

Use Password Brute Forcing to find out how vulnerable your hosts are to password-cracking techniques. Common targets of brute force attacks are hosts running FTP, SSH and Windows. Choose "System" and we'll attempt to guess the password for each detected login ID on each target host scanned. Select the level of brute forcing you prefer with options ranging from "Minimal" to "Exhaustive". Choose "Custom" to configure your own login/password combinations to look for. Learn more

Tell me about the dissolvable agent

The Dissolvable Agent (Agent) is required for certain scan features (like Windows Share Enumeration). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent". How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Windows Share Enumeration

Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files in each share and whether the files are writable. This is good for identifying groups of files that may need tighter access control. This security test is performed using QID 90635. Please be sure these configurations are enabled: 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined. Learn more

Want to run a lite OS scan?

Select the Enable lite OS detection option in your option profile. When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected. Learn more

Do not overwrite host OS

When selected, we will not update the operating system for your target hosts. This is especially useful if you're running a light or custom scan and you don't want to overwrite the OS detected by the previous scan.

How to add a custom HTTP header value

You can add a specific HTTP header value to scans in order to drop defenses (such as logging, IPs, etc) when authorized scans are being run. This value will be used in the "Qualys-Scan:" header that will be set for many CGI and Web Application fingerprinting checks. Some discovery and Web Server fingerprinting checks will not use this header. Note the header is sent in plain text and should consequently not be the sole mechanism for bypassing security controls.

How to run a host alive test

This option allows you to run a quick scan to determine which of your target hosts are alive without also performing other scan tests. The Appendix section of your Scan Results report will list the hosts that are alive and hosts that are not alive. Note that you may see some Information Gathered QIDs in the results for hosts found alive.

Perform live host sweep for maps

During a map, we must first determine which hosts are alive. We ping every host within the target domain's netblock using ICMP, TCP and UDP probes. TCP and UDP probes are sent to default ports for common services, such as DNS, TELNET, SMTP, HTTP and SNMP. If these probes trigger at least one response from the host, the host is considered alive and is reported on. You have the option to disable the live host sweep to only discover devices using DNS discovery methods (DNS, Reverse DNS and DNS Zone Transfer.) Active probes will not be sent. As a result, we may not be able to detect all hosts in the netblock, and undetected hosts will not be analyzed.

Ignore certain packets

If you want to ignore certain packets enable packet options in the Additional section:

Ignore Firewall-Generated TCP RST PacketsIgnore Firewall-Generated TCP RST Packets

When enabled, we will try to identify firewall-generated TCP RESET packets and ignore them. Note, however, that it is not always possible to determine whether a RESET packet is firewall generated but we will make a best effort. Some firewall-generated RESET packets could still be misidentified as generated by live host(s) and in this case they will not be ignored.

If the target for a scan or map is a range larger than a class B, we will not attempt to figure out whether RESET packets are firewall generated; instead we ignore all RESET packets. This is because the scan time or the map time will be very long.

Ignore All TCP RST Packets (maps only)Ignore All TCP RST Packets (maps only)

When enabled, we will ignore all TCP RESET packets, including firewall-generated RESET packets and live-host-generated RESET packets. This option is available to find hosts with one or a few selected ports open. It can also be used for cases in which there are firewall-generated RESET packets but we fail to identify and ignore them when Ignore Firewall-Generated TCP RST Packets is selected, resulting in many phantom hosts being reported as live hosts.

Typical use cases for choosing this option:

a) You want to find hosts with at least one of the selected TCP ports open and you don't care about any other live hosts. This is a rather specific use case. For example you want to find hosts and only hosts with TCP port 1433 or TCP port 1434 open and you don't want to see any other live hosts in the map results.

To implement a solution for this use case you must: 1) Enable this option to ignore all TCP RESET packets, 2) Disable ICMP and UDP for host discovery and also restrict TCP ports for host discovery to the selected ports (in the option profile on the Additional tab), and 3) Select the option to ignore hosts that are discovered via DNS and only via DNS (in the option profile on the Map tab select "Exclude Hosts Only Discovered via DNS").

b) You have firewall generated TCP RESET packets which were not successfully identified (even after you selected the option to ignore firewall-generated RESET packets). Consequently, you'll see many dead hosts in the map results.

To implement a solution for this use case you must: 1) Enable this option to ignore all TCP RESET packets, and 2) Since you still want to find all live hosts, you need to enable other host discovery methods (ICMP, TCP and UDP with a default list of TCP/UDP host discovery ports).

Ignore firewall-generated SYN-ACK packetsIgnore firewall-generated SYN-ACK packets

Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP SYN-ACK packets using the host's IP address. When enabled, we attempt to determine if TCP SYN-ACK packets are generated by a filtering device and ignore all SYN-ACK packets that appear to originate from such devices.

Do not send ACK or SYN-ACK packets during host discoveryDo not send ACK or SYN-ACK packets during host discovery

Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the "Perform 3-way handshake" option in the Scan section of your profile, then the "Perform 3-way handshake" option takes precedence and this option is ignored.

Worried about triggering your IDS?

If our scan triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. Go to the Blocked Resources section and select the ports that are blocked and IP addresses that are protected by your firewall/IDS.

Other options to considerOther options to consider

1) Add hosts that you don't want scanned to the global excluded hosts list under Scans > Setup > Excluded Hosts.

2) Add our scanner IP addresses to a whitelist or exception list in your firewall/IDS configuration. You can view a current list of IP addresses for our cloud external scanners on the About page (Help > About). Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list.

3) Are you using Watchguard? If yes, add our scanner IP addresses to the "Blocked Sites Exception" list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Note: The "WatchGuard default blocked ports" option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.

Can I edit PCI settings?

Yes. There are limited scan settings that can be edited in PCI option profiles. Managers have permission to edit the service provided profile called "Payment Card Industry (PCI) Options" which is optimized for PCI external scans. Users can also create custom PCI option profiles from the New menu. Learn more