Option Profile

Give the profile a title

Enter a title for easy identification.

Change the owner

We'll list users who can be the owner of this profile. Don't see a particular user? The user may not be a valid owner because of their role or business unit. Click the Launch Help link to learn more about owners.

Set as the default

Make this profile the default for all scans and maps. There can only be one default profile for the subscription.

Make this profile global

Share this profile with other users by making it global.

Are you a Manager? This profile will be available to all users.

Are you a Unit Manager? This profile will be available to all users in your business unit.  

Sync to offline scanners

When selected, this profile will be downloaded to your offline scanners during the next sync.

TCP and UDP ports to scan

We use ports to send packets to the host to determine if the host is alive and discovery services on the host. Select Full to scan all ports, Light Scan to scan fewer ports or create a custom list of ports.

Authoritative option for light port scans

When enabled, previously open findings will be closed if the scan's option profile includes the QID (under Vulnerability Detection) and port the vulnerability was previously detected on, and certain conditions are met. See the help to learn more.

Scan dead hosts

A dead host is a host that is unreachable - it didn't respond to any pings. Your scan may run longer if you choose to scan dead hosts.

Close vulnerabilities on dead hosts

Quickly close vulnerabilities for hosts that are not found alive after a set number of scans. When enabled, we'll mark existing tickets associated with dead hosts as Closed/Fixed and update the vulnerability status to Fixed. You must also choose Full or Standard options for both TCP Ports and UDP Ports in the same option profile when using this feature.

Purge hosts when OS is changed

This option is especially useful if you have systems that are regularly decommissioned or replaced. By selecting this option you’re telling us you want to purge the host if we detect a change in the host's Operating System (OS) vendor at scan time, for example the OS changed from Linux to Windows or Debian to Ubuntu. We will not purge the host for an OS version change like Linux 2.8.13 to Linux 2.9.4.

Performance options

Fine tune the performance intensity of your scans.

Overall Performance - The profile Normal is recommended in most cases. Various settings are saved as part of this profile. You can change to another performance profile or create a custom profile with settings you prefer. Click Configure to view the current settings i.e. hosts to scan in parallel, processes to run in parallel, packet delay, port scanning and host discovery, and change the settings as you prefer.

External scanners to use - Select the maximum of external scanners to use for scanning perimeter assets. (This option is available when your subscription is configured with multiple external scanners).

Important - Performance settings should only be customized by users with in-depth knowledge of the target network and available bandwidth resources.

Detect load balancers

Select this option to check each target host to determine if it's a load balancer. When a load balancer is detected, we determine the number of Web servers behind it and report QID 86189 "Presence of a Load-Balancing Device Detected" in your results.

Enable password brute forcing

How vulnerable are your hosts to password-cracking techniques? Choose "System" and we'll attempt to guess the password for each detected login ID on each target host scanned. Select the level of brute forcing you prefer ("Minimal" to "Exhaustive"). Choose "Custom" to create your own list of login/password combinations to look for.

Set Maximum Scan Duration per Asset

Select this option to limit how long a scan can run on a single asset in the scan target. When the limit is exceeded, the scan on the asset will be aborted and the scanner will move to the next target in the scan job. You will not get scan results for hosts that exceeded the maximum scan duration.

Vulnerability Detection

With a "Complete" scan we'll scan for all vulnerabilities (QIDs) in the KnowledgeBase applicable to each host being scanned. Select "Custom" to limit the scan to select QIDs only. Then add search lists with the QIDs you want to scan.

We recommend you add basic host information checks (hostname, OS, etc) to your Custom scans. These are already included in Complete scans.

Want to scan OVAL checks? Select Custom, add a search list with QID 105186 (a diagnostic check for OVAL), and select the option "OVAL checks".

Are there QIDs you're not interested in? Select Excluded QIDs and add search lists with the QIDs you'd like to exclude. Please note that checks for excluded QIDs may still run and cause related network traffic. See the full help for more details.

Intrusive checks are excluded automatically from scans unless you pick the option "Do not exclude Intrusive checks". These are remote checks that may cause harm or damage to a remote system. Some remote vulnerabilities can only be effectively detected by attempting to compromise the vulnerability.  Qualys attempts to ensure that any compromise attempted is benign, however this cannot be guaranteed.  Intrusive checks may leave the remote system in an unstable state.

Vulnerability Detection

With a "Complete" scan we'll scan for all vulnerabilities (QIDs) in the KnowledgeBase applicable to each host being scanned. Select "Custom" to limit the scan to select QIDs only. Then add search lists with the QIDs you want to scan.

We recommend you add basic host information checks (hostname, OS, etc) to your Custom scans. These are already included in Complete scans.

Want to scan OVAL checks? Select Custom, add a search list with QID 105186 (a diagnostic check for OVAL), and select the option "OVAL checks".

Want to scan QRDI checks? Select the option "All QRDI checks" to scan target assets for all QRDI vulnerabilities in your subscription, i.e. all custom vulnerability checks defined with QRDI (Qualys Remote Detection Interface).

Are there QIDs you're not interested in? Select Excluded QIDs and add search lists with the QIDs you'd like to exclude. Please note that checks for excluded QIDs may still run and cause related network traffic. See the full help for more details.

Intrusive checks are excluded automatically from scans unless you pick the option "Do not exclude Intrusive checks". These are remote checks that may cause harm or damage to a remote system. Some remote vulnerabilities can only be effectively detected by attempting to compromise the vulnerability.  Qualys attempts to ensure that any compromise attempted is benign, however this cannot be guaranteed.  Intrusive checks may leave the remote system in an unstable state.

Enable authentication

Want to run authenticated scans? When you use authentication we'll perform a more in-depth assessment and get you the most accurate results with fewer false positives. Select one or more technologies for the hosts you want to scan.

Be sure you've configured authentication records (under Scans > Authentication) before running your scan.

For Unix authentication, you have the option to scan with least privileges required. When selected, we will not perform root delegation to elevate the account privileges to root when root delegation is specified in the Unix record. 

Test authentication

Check this option to run a quick, custom scan to test if authentication to target hosts is successful. This way you can identify issues with authentication credentials before running a full scan. The Appendix section of your Scan Results report will list the hosts that passed/failed authentication. You'll also see the custom list of QIDs included in the scan (note that the option profile will be set to Complete).

Include system created authentication records in scans

If you have system created authentication records in Policy Compliance, you can select this option to include the system records in your vulnerability scans. When selected, system created records will be used in addition to user created records when authentication is enabled.

Detect additional certificates

Want to detect additional certificates beyond ports? You need to enable authentication and then run new vulnerability scans. Select this option before scanning and see additional certificate records (under Assets > Certificates).

Enable the dissolvable agent

This is required for certain scan features like Windows Share Enumeration. How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Enable Windows Share Enumeration

Use Windows Share Enumeration to find and report details about Windows shares that are readable by everyone. This test is performed using QID 90635. Make sure 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined.

Tell us how to gather host information

Select the hosts you're interested in: All Hosts (hosts detected by the map), Registered Hosts (hosts in your account), Netblock Hosts (hosts added by a user to the netblock for the target domain) or None. Also select the ports to scan.

Perform live host sweep

Uncheck (clear) this option to only discover devices using DNS discovery methods (DNS, Reverse DNS and DNS Zone Transfer.) Active probes will not be sent. As a result, we may not be able to detect all hosts in the netblock, and undetected hosts will not be analyzed.

Disable DNS traffic

Check this option if you want to disable DNS traffic for maps. This is valid only when the target domain name includes one or more netblocks, e.g. none:[10.10.10.2-10.10.10.100]. We'll perform network discovery only for the IP addresses in the netblocks. No forward or reverse DNS lookups, DNS zone transfers or DNS guessing/bruteforcing will be made, and DNS information will not be included in map results.

Map authentication options

Run a map using vCenter authentication to discover ESX/ESXi hosts. Be sure to set up vCenter authentication records under Scans > Authentication.

Run a map using VMware authentication to retrieve a list of virtual guest hosts residing on a VMware server. Be sure to set up VMware authentication records under Scans > Authentication.

Select ports for host discovery

Host discovery is the process used to determine which hosts are "alive" before scanning for vulnerabilities. In certain cases you may want to customize the probes that are sent and ports that are scanned. For example, add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.

Worried about triggering your IDS?

Tell us the ports are blocked and the IP addresses that are protected by your firewall/IDS.

Ignore firewall-generated TCP RST packets

When enabled, we will try to identify firewall-generated TCP RESET packets and ignore them.

Notes:

- It is not always possible to determine whether a RESET packet is firewall generated but we will make a best effort. Some firewall-generated RESET packets could still be misidentified as generated by live host(s) and in this case they will not be ignored.

- If the scan or map target is larger than a class B, then we will not attempt to figure out whether RESET packets are firewall generated because the scan time will be very long. Instead, we will ignore all RESET packets.

Ignore All TCP RST Packets

When enabled, we will ignore all TCP RESET packets - firewall-generated and live-host-generated.

This option is available to find hosts with one or a few selected ports open. It can also be used for cases in which there are firewall-generated RESET packets but we fail to identify and ignore them when Ignore Firewall-Generated TCP RST Packets is selected, resulting in many phantom hosts being reported as live hosts. Click the Launch Help link (at the top of the page) for typical use cases.

Ignore firewall-generated SYN-ACK packets

Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP SYN-ACK packets using the host's IP address. When enabled, we attempt to determine if TCP SYN-ACK packets are generated by a filtering device and ignore packets that appear to originate from such devices.

Do not send TCP ACK or SYN-ACK packets during host discovery

Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this way and you do not want these events logged, then enable this option.

Run a lite OS scan

When this option is enabled and QID 45017 is present in a scan, the scan job removes expensive OS detection methods from initial host discovery phase only. These methods may still be executed later during vulnerability testing if other QID detections need them, but not as a part of host discovery when basic host inventory info is collected.

When enabled what OS detection methods are excluded from host OS discovery?
- Telnet
- MSRPC
- HTTP: PHP-based information from PHP information/debugging pages
- NTP
- VMware ESXi web service

Add a custom HTTP header value

The value you enter will be used in the "Qualys-Scan: " header that will be set for many CGI and Web Application fingerprinting checks. Some discovery and Web Server fingerprinting checks will not use this header.

Run a host alive test

Check this option to run a quick scan to determine which of your target hosts are alive without also performing other scan tests. The Appendix section of your Scan Results report will list the hosts that are alive and hosts that are not alive. You may see some Information Gathered QIDs in the results for hosts found alive.

Enable for Ethernet probing

Check this option to enable the scanner to allow Ethernet IP probing for OS detection. When you launch a vulnerability scan with this option enabled, the operating system detection method “TCP fingerprint” first tries to generate a fingerprint via EthernetIP on TCP port 44818, before falling back to regular TCP fingerprinting. This is done even if port 44818 is not in the list of ports to be scanned. If EthernetIP negotiation is successful we’ll use the device information to identify the target’s operating system (reported in QID 45017).

Do not overwrite OS

You may want to select this option if you're running a light or custom scan and you don't want to overwrite the OS detected by a previous scan.

 

Configure Scan Performance Settings

Enable parallel scaling for scanner appliances

This setting can be useful in subscriptions which have physical and virtual scanner appliances with different performance characteristics (e.g., CPU, RAM).  

Select this option to dynamically scale up the "Hosts to Scan in Parallel" setting (at scan time) to a calculated value which is based upon the computing resources available on each appliance. Note that the "Hosts to Scan in Parallel" value determines how many hosts each appliance will target concurrently, not how many appliances will be used for the scan.

Overall performance levels

Normal - Recommended in most cases. Well balanced between intensity and speed.

High - Recommended only when scanning a single IP or a small number of IPs. Optimized for speed and shorter scan times.

Low - Recommended if responsiveness for individual hosts and services is low. Optimized for low bandwidth network connections and highly utilized networks. May take longer to complete.

Hosts to Scan in Parallel

Set the max number of hosts to scan at the same time (per scan task).

Notes:

- May impact your network bandwidth and performance of routers, switches and firewalls. It does not affect responsiveness for individual hosts and services. Decrease the value if the impact on your network is too great.

- Launching several concurrent scans on the same scanner appliance has a multiplying effect on bandwidth usage and may exceed available scanner resources. Don't have scanner appliances? Disregard the Scanner Appliance setting.

Processes to Run in Parallel

Set the max number of processes to run at the same time per host and the max number of HTTP processes to run at the same time. Lower the HTTP processes setting: 1) if your web servers cannot handle many HTTP requests sent in a short period of time, or 2) to scan devices with multiple web server ports or embedded devices with limited resources.

Packet Delay

This is the delay between groups of packets sent to each host during a scan. With a short delay, packets are sent more frequently. With a long delay, packets are sent less frequently.

Port Scanning and Host Discovery

This setting determines the aggressiveness (parallelism) of port scanning and host discovery at the port level. Lowering the intensity level has the effect of serializing port scanning and host discovery. This is useful for certain network conditions like cascading firewalls and lower scan prioritization on the network. Tip - If you are scanning through a firewall we recommended you reduce the intensity level. Unauthenticated scans see more of a performance difference using this option.

Limit Per Host CGI Checks

Select if you want to set a limit on the max number of CGI checks.

Max CGI Check

You’ll be able to define the maximum number of checks per scan if you’ve enabled Limit Per Host CGI Checks.

Configure Scan for Limited Connectivity

Select if you want to configure scan for limited connectivity.

Set Maximum Targets per Slice

Select if you want to specify maximum number of targets per slice.

Maximum number of targets

You’ll be able to define the maximum number of targets.

Skip Pre-scanning

Select if you want to skip pre-scanning.

 

Configure Map Performance Settings

Overall Performance Levels

Normal - Recommended in most cases. Well balanced between intensity and speed.

High - Optimized for speed. May be faster to complete but may overload firewalls and other networking devices.

Low - Optimized for low bandwidth network connections. May take longer to complete.

Netblocks to Map in Parallel

Set the max number of netblocks to map at the same time per scanner. Note - This setting may have an impact on your network bandwidth. This setting does not affect responsiveness for individual hosts and services. If your network or network devices become overloaded, adjust this setting accordingly.

Netblock Size - Set the max number of IPs per netblock being mapped. The netblock specified for the domain is broken into smaller netblocks for processing. Each of these smaller netblocks equals a single map process. Use this setting to define how many IPs should be included in each process.

Packet Delay

This is the delay between groups of packets sent to the netblocks being mapped. With a short delay, packets are sent more frequently, resulting in more bandwidth utilization and a shorter mapping time. With a long delay, packets are sent less frequently, resulting in less bandwidth utilization and a longer mapping time.

 

Configure Password Brute Forcing

Title

Provide a title for this brute force list.

Select the list type

Common targets of brute force attacks are hosts running FTP, SSH and Windows. You can create separate brute force lists for testing these different types of services. When you select Windows we'll attempt to connect to the local user database on each target Windows host. (Note that the credentials are not forwarded to the Windows domain controller to authenticate against the domain user database. You must scan the domain controller to brute force domain accounts.)

Create your Login/Password list

Enter up to 50 login/password combinations that you want to test. Start with the login name (L:login) followed on the next line with the password (P:password). If the password is blank, you must still add a password line. For example:

L:admin

P:temp

L:Guest

P:

L:test

P:test