You have a few options. You can pause the scan (and resume it later) or cancel the scan. Select the scans you want to stop from the scans list and then choose an action from the Actions menu.
Learn more about paused scans
- Partial results are saved (and cannot be deleted) until the scan is resumed and finished.
- When resumed, the scan picks up where it left off scanning the remaining target hosts using the same set of options.
- Once all target hosts have been scanned and the scan is finished, the scan results from all scan segments are combined into a single report.
- If not finished within 30 days, the scan is canceled. If you resume a scan and then pause it again, the initial 30 day window still applies.
- If a scanner appliance was used, the pause/resume request is communicated to the scanner appliance using its polling feature. There must be at least one polling interval before the pause/resume request starts.
Learn more about canceled scans
- Partial results are saved when at least one host is scanned.
- An empty report is saved when no hosts are scanned, go to Filters > Empty Results to see it.
Yes, at any time. Choose View from the Quick Actions menu for any running scan. You'll see the IPs that have already been scanned, the IPs currently being scanned and the IPs waiting to be scanned. For a vulnerability scan, you can also access partial results as they become available. Once the scan is finished you'll be able to view and download the full results.
The scan status will show "Finished". At this time you can select View from the Quick Actions menu to see the full results in an HTML report. If you have notifications turned on you'll get an email. This is especially useful if you logged out of the application or went on to do other things while the scan was running. You can change notification settings in your user profile. Select User Profile below your user name (in the top right corner) and go to the Options section.
Scan results must be processed in order for you to see the related scan data in reports and other places in the UI. Check the processing status on the scans list to be sure. You'll see when scan results are processed, and when scan results are not processed. Go to Filters > Processing Tasks to see processing tasks and their status.
Scan processing is triggered automatically by the Qualys Cloud Platform. You might like to know when scan processing is kicked off. This depends on your subscription settings, specifically whether the New Data Security Model (NDSM) is enabled (Users > Security).
- Is New Data Security Model enabled (NDSM)? Scan processing is kicked off as soon as a scan has finished. No login by any user is needed.
- Is NDSM turned off (not enabled)? Scan processing is kicked off as soon as any user in the subscription logs in.
Go to your scans list to get status information for all of your scans. The preview pane shows up-to-the-moment scan statistics even as your scan is running.
Each scan will have one or more scan segments. The Start date that appears in the preview pane depends on the status of the current scan segment.
- If the scan is running, it shows the start date as the current segment's start date.
- If the scan is paused or cancelled, is shows the start and end date of the current segment.
- If the scan is finished, it shows start date as the start date of the first segment and end date as that of the last segment.
A scan segment identifies a portion of scanning work that the service has distributed to scanner(s). A scan will have one segment unless it is paused. If a scan is paused and resumed one time, the scan will have two segments. If it is paused and resumed five times it will have six segments.
Yes. For every scan we save vulnerability data detected by the scan as 1) scan results, and 2) as vulnerability data indexed by host. We use the indexed data to show you the most recent vulnerability data for hosts throughout the UI (on your dashboard, in your asset search, in remediation tickets, etc). If you choose to delete scans from your account you can still create scan reports that include the vulnerability data collected by the deleted scans. Just create a scan report template with Host Based Findings.
Select View from the Quick Actions menu. You'll get an HTML report of the findings.
Select Download from the Quick Actions menu. Several download formats are available.
Tell me about scan results: VM Scan Results | PC Scan Results
Scan results in XML: Qualys API (VM, PC) User Guide
Scan results are saved in your account for a period of time defined by your storage settings. Go to Scans > Setup > Storage to view the storage settings and update if you want.
Good to know:
Host based findings are NOT deleted
It's important to understand that when you delete a scan from the list, the host scan data remains in your account. Host scan data (also referred to as Auto data) is saved separately from scan results after each scan. This means you can still run reports on the data and you'll still see the data throughout the UI (i.e. on your dashboard, asset search results, remediation tickets, and host information). If you want to remove host scan data from your account, you need to purge the host.
PCI ASV scan results (external IPs with external scanners and PCI Option Profile) are saved for 2 years
PCI ASV scan results are saved for 2 years from the scan launch date even if the Auto Delete Stored Data option is enabled. PCI ASV scan results may be deleted when older than 2 years.
Yes. Identify the scan you want to run again and select Relaunch from the Quick Actions menu. We'll do our best to prefill the scan settings to match the original scan. We may not be able to prefill settings if there were changes in your account like your assets changed or the option profile was renamed. Interested in automated scanning? Go to the Schedules tab and set up a recurring scan schedule for continuous monitoring.
Go to Help > Account Info to see the number of scans available in your account.
How are scans counted?
Each time you scan a host, the scan is counted against the remaining scans for the account. When Vulnerability Management (VM) and Policy Compliance (PC) are both enabled for your account, each scan type is counted separately against the remaining scans. For example, if you perform a vulnerability scan and a compliance scan on the same target host, then the remaining scans count is decreased by 2 scans. Note that only hosts that are "alive" at the time of the scan will be counted, and subsequently subtracted from the number of scans remaining in your account.
How do I purchase more scans?
Please contact Technical Support to purchase more scans for your account.
Follow these best practices recommended by our Support team for scanner appliance placement.
Consult your network group
It's highly recommended that you work with your network group to determine where to place scanner appliances in your environment. Some things to consider: place scanner appliances as close to target machines as possible, and make sure to monitor and identify any bandwidth restricted segments or weak points in the network infrastructure. Scanning through layer 3 devices (such as routers, firewalls and load balancers) could result in degraded performance. You may want to configure your scanner appliance with VLANs and Static Routes to circumvent layer 3 devices to avoid potential performance issues.
Avoid scanning through a firewall from the inside out
Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible. See Scanning and Firewalls.
With Linux authenticated scans your user's BASH history file (bash_history) may get overrun because there are so many lines generated by the scan. To prevent this you can set the following value for HISTIGNORE.
What is HISTIGNORE?
This description for HISTIGNORE is from the man page for BASH.
A colon-separated list of patterns used to decide which command lines should be saved on the history list. Each pattern is anchored at the beginning of the line and must match the complete line (no implicit `*' is appended). Each pattern is tested against the line after the checks specified by HISTCONTROL are applied. In addition to the normal shell pattern matching characters, `&' matches the previous history line. `&' may be escaped using a backslash; the backslash is removed before attempting a match. The second and subsequent lines of a multi-line compound command are not tested, and are added to the history regardless of the value of HISTIGNORE.