Scanning

Strategies and Best Practices

Lab Tutorial Supplement

Table of Contents
SCANNING STRATEGIES AND BEST PRACTICES ........................................................................... 1

LAB 1: ADD HOSTS TO SUBSCRIPTION ............................................................................................ 3

LAB 2: CREATE ASSET GROUP ............................................................................................................ 4

LAB 3: OPTION PROFILES .................................................................................................................... 5

LAB 4 - 6: AUTHENTICATION ........................................................................................................... 17

LAB 7: AGENTLESS TRACKING AND MERGING ........................................................................... 19

LAB 8: SCAN RESULTS ........................................................................................................................ 22

LAB 9 - 11: SCAN ANALYSIS .............................................................................................................. 25

LAB 12 - 14: SCAN TYPES .................................................................................................................. 28

LAB 15 - 16: SCANNING CLOUD AGENT HOSTS .......................................................................... 30

LAB 17 - 18: DELEGATION SCAN TASKS ....................................................................................... 32

2
LAB 1: Add hosts to subscription
Add Hosts to Subscription
Before you can scan your assets, you must first add them to your subscription. When
adding assets to your subscription, you must assign a tracking method.

The tracking method impacts how the hosts will be listed in scan reports (scan
results are always sorted by IP address).

There are three methods available for tracking discovered vulnerabilities:
- IP tracking
- DNS tracking
- NetBIOS tracking

A fourth host tracking method, the Qualys Host ID, is used by default for all assets
with the Qualys Cloud Agent.

The Qualys Host ID is unique for each host. When the “Agentless Tracking” feature is
enabled, it is also available for “scannable” assets (assets scanned using an
appliance).

Lab 1 - https://ior.ad/7LHg

Lab 1 will teach you how to add IP addresses to your subscription.

3
LAB 2: Create asset group
Asset groups
Asset groups are logical groups of hosts, domains, and scanner appliances (if
applicable). Asset groups can be based on importance, priority, location, or
ownership.

Using asset groups makes scanning, mapping, and reporting more efficient. You can
scan and map a group repeatedly and know that the same IPs and domains are
included every time.

Scanning your entire network can be cumbersome and is not recommended. By
organizing assets into subsections of your network, you can limit the scope of the
scan target, making the results and remediation tasks more manageable.

Lab 2 - https://ior.ad/7LHi

Lab 2 will teach you how to organize your assets using asset groups.

4
LAB 3: Option Profiles


Qualys scan process:

When you launch a vulnerability scan, it goes through four steps:

1. Host Discovery
The Host Discovery Module will begin the data collection process by performing
some checks and probes to determine the present status of each targeted host,
either alive or dead.

Once the host discovery module has completed its task, a list of your LIVE targets
is passed to the Port Scanning Module.

2. Port Scanning
The port scanning module’s job is to determine which TCP and UDP ports are
open (depending, of course, on the number of ports you are targeting in your
scan).

Once the TCP and UDP port scanning modules have completed their respective
tasks, the open TCP and UDP port lists are passed to the Service detection
module.
5

3. Service Detection

Once the active services have been identified, the OS Detection Module will
attempt to identify the operating system installed on each targeted host. At least
one open TCP port is required for this task.

4. OS Detection
Qualys recommends performing authenticated scans for the most accurate
operating system detection.

This will allow the Qualys Scanner Appliance to identify the exact OS vendor and
version number directly from the Windows system registry or by executing the
appropriate command.

An additional benefit of scanning in authenticated mode is the enumeration of
installed software applications, which will trigger additional vulnerability
assessment modules for the installed software applications on the target hosts.

Scans performed without authentication will rely on a combination of TCP/IP
stack fingerprinting with some enhanced protocol interrogation to detect the
host operating system.


Any time you want to start a scan or map, you’ll need to choose an option profile.
The profile defines the settings you want to use.

You can define these settings in an Option Profile:

• Ports to scan:

6


Qualys uses ports to send packets to the host to determine whether the host is
alive. Qualys also uses fingerprinting to discover services.
By default, the standard list of ports (TCP and UDP) is used unless you choose a
different option in the profile.
The “Standard Scan” option is suitable for essential port coverage while
minimizing total scan time.
A “Full” scan provides the widest coverage. Network filtering devices and host-
based firewalls should be configured to allow targeted ports.
When “Perform 3-way Handshake” is enabled, the scanning engine performs a 3-
way handshake with target hosts. After a connection between the service and the
target host is established, the connection will be closed.

7
• Authoritative Option for Light Scans:

The “Authoritative Option” was designed primarily for Qualys users moving
from the standard scan to the light scan option in their TCP and UDP port
settings.
Selecting this option will eliminate over 1700 TCP ports and 150 UDP ports from
a scanning task.

Selecting the “Enable Authoritative Option for light scans” check box will
effectively close all previously detected QIDs associated with ports that are no
longer being targeted by the light scan.

TCP ports included in a standard scan – 1900
TCP ports included in a light scan – 160

UDP ports included in a standard scan – 180
UDP ports included in a light scan – 30

Non-authoritative scans do not update the status of a QID if the port is not
included in the list of ports to scan.

In an authoritative scan, previously open findings will be closed if:
• the QID is targeted but not detected
• the QID could not be executed because the port the vulnerability was
previously detected on is no longer open or reachable by the scanner
• the port is not in the list of ports scanned.

Suppose two instances of the same vulnerability existed on multiple ports. In
that case, a web server has a vulnerability TCP/80 and TCP/443; each instance
of the vulnerability is evaluated independently according to the conditions
stated.


• Scan Dead Hosts:

8

A dead host is an unresponsive host - it didn’t respond to any of our pings.
Typically, you’d want to avoid scanning a dead host. You may choose to scan
dead hosts but note that this may substantially increase scan time.
This option would be potentially helpful for known LIVE hosts that do not
respond to your existing host discovery probes.
• Close Vulnerabilities on Dead Hosts

Use this to close vulnerabilities for hosts that are not found alive after a set
number of scans.
When enabled, we’ll mark existing tickets associated with dead hosts as
Closed/Fixed and update the vulnerability status to Fixed.

• Purge old host data when OS is changed

This option is helpful if you have regularly decommissioned or replaced systems.
When enabled, we’ll purge a host if we detect a change in the host’s operating
system vendor, for example, the OS changes from Linux to Windows or Debian to
Ubuntu.
Version number changes for the same OS vendor are not impacted by this
setting. We will not purge the host for an OS version change like Linux 2.8.13 to
Linux 2.9.4.
• Performance

9


Use performance settings to tune the intensity of your scans. We’ll select the
performance level Normal initially and, this is recommended in most cases.
High - Optimized for speed and shorter scan times. It is recommended when
scanning a small number of IPs. It is faster to complete but may overload your
network or devices. Scanning a host with limited resources may result in an
unresponsive host or service.

Normal - Recommended as best practice in most cases.

Low - Optimized for low bandwidth network connections and highly utilized
networks. Recommended if responsiveness for individual hosts and services is
low. Scans may take longer to complete.

Enable parallel scaling for Scanner Appliances -

This setting can be helpful in subscriptions that have physical and virtual
scanner appliances with different performance characteristics (e.g., CPU,
RAM).

When enabled, we will dynamically scale up the “Hosts to Scan in Parallel”

setting (at scan time) to a calculated value based upon the computing
resources available on each appliance.
10
 Processes to run in parallel (per host) -

Set the maximum number of processes to run at the same time per host and
the maximum number of HTTP processes to run at the same time.

The HTTP Processes setting determines how aggressively the scanning

engine scans your web servers.

Packet delay

This is the delay between groups of packets sent to each scanned host. A
short delay means that packets are sent more frequently. A long delay means
that packets are sent less frequently.

Port scanning and host discovery

This setting determines the aggressiveness (parallelism) of port scanning

and host discovery at the port level.

Lowering the intensity level has the effect of serializing port scanning and
host discovery. This is useful for certain network conditions like cascading
firewalls and lower scan prioritization on the network.

Port scanning and host discovery are the phases of a scan that tend to place
the highest burden on firewall state tables. If you are scanning through a
firewall, you should reduce the intensity level.

• Load Balancer Detection

When load balancer detection is enabled in the Scan section, Qualys checks each
target host to determine if it’s a load balancer.

When a load balancer is detected, Qualys determines the number of Web servers
behind it and reports QID 86189 - “Presence of a Load-Balancing Device
Detected” in your results.

• Password Brute Forcing

11


A password brute force attack attempts to gain unauthorized access to a system
or network using a password-cracking technique. Common targets of brute force
attacks are hosts running FTP, SSH and Windows.
Use Password Brute Forcing to identify hosts vulnerable to password-cracking
techniques.


• Vulnerability Detection

The “complete” Vulnerability Detection option includes the most comprehensive
list of vulnerability assessment checks. This is the recommended “Vulnerability
Detection” option.

The “Custom” option allows you to include your list of vulnerabilities using one
or more Search Lists.




12
 Basic host information checks

Basic host information checks look for things like DNS hostname, NetBIOS
hostname and operating system.

Once we have this information for a host, we show it in your scan reports, in
remediation tickets, and so on. These types of checks are always included in
Complete scans. But if you’re performing a Custom scan, you must select this
option in the profile, or we won’t check for this basic host information.

Intrusive Checks

By default, intrusive checks are excluded from scans unless you take action to
include them.

Some remote vulnerabilities can be effectively detected only by
compromising them.

Intrusive checks may leave the remote system in an unstable state.

• Authentication

Using host authentication (trusted scanning) allows our service to log in to each
target system during scanning.

Once logged in, Qualys can fully assess the system’s security posture.
13

Running authenticated scans gives you the most accurate results with fewer
false positives.

• Test Authentication

Use this option to run a quick, custom scan to test if authentication to target
hosts is successful.
This way, you can identify issues with authentication credentials before running
a full scan.

• Additional Certificate Detection

We’ll automatically find certificates on ports/services when you run full port
scans.
Enable the Additional Certificate Detection option in your option profile (along
with authentication) to also find certificates in locations like Apache, Tomcat,
Java KeyStore and Windows IIS. Note - You’ll need to run new vulnerability scans
after making changes to your option profile.

• Dissolvable Agent

The Dissolvable Agent is required for certain scan features (like Windows Share
Enumeration).

14
 At scan time, the agent is installed on Windows devices to collect data, and once
the scan is complete, it dissolves (removes) itself completely from target
systems.

Use Windows Share Enumeration to find Windows shares that are readable by
everyone, and report details about them, like the number of files in each share
and whether the files are writable.

This is good for identifying files that may need tighter access control. This
security test is performed using QID 90635.

To use this feature:

1. Enable the use of Dissolvable agent

2. Include QID 90635 in the Vulnerability Detection section
3. Define a Windows authentication record

• Lite OS Scan

During a normal scan, some methods used to identify the operating system are
expensive both computationally and in terms of time required.

In addition, some of these methods may create many system or application alerts
if the target is so configured.

When this option is enabled, and QID 45017 is present in a scan, the scan
removes expensive OS detection methods from the initial host discovery phase.
These methods may still be executed later during vulnerability testing if other
QID detections need them, but not as a part of host discovery when basic host
inventory info is collected.

• Add a Custom HTTP Header Value

When authorized scans run, you can add a specific HTTP header value to scans
to drop defenses (such as logging, IPs, etc.).
15
 This value will be used in the “Qualys-Scan:” header that will be set for many CGI
and Web Application fingerprinting checks.

• Host-Alive Testing

This option allows you to run a quick scan to determine which target hosts are
alive without performing other scan tests.
The Appendix section of your Scan Results report will list the hosts that are alive
and hosts that are not alive.

• Do not overwrite OS

When selected, we will not update the operating system for your target hosts.

This is especially useful if you’re running a light or custom scan or one-off

unauthenticated scans, and you don’t want to overwrite the OS detected by the
previous scan.

Lab 3 - https://ior.ad/7LHj

Lab 3 will teach you how to create a new Option Profile.

16
LAB 4 - 6: Authentication

Qualys recommends performing authenticated scans.

Use authenticated scans to:
• Enumerate installed software, running services, and open ports
• Accurately detect the operating system
• Detect more vulnerabilities
• Improve detection accuracy
• Reduce potential vulnerabilities and time required to investigate them

For Windows authentication, Administrator privileges are recommended for the
most accurate security assessment and recommended fixes for your system.

Using an account with administrator privileges allows us to collect information
based on registry keys, administrative file shares (such as C$) and running services.

To learn more about Windows authentication, please visit:
https://www.qualys.com/docs/qualys-authenticated-scanning-windows.pdf

For Unix authentication, the account you provide must be able to:
• execute “uname” to detect the platform for packages
• read /etc/redhat-release and execute “rpm” (if the target is running Red Hat)
• read /etc/debian_version and execute “dpkg” (if the target is running
Debian).
There are many more commands that must be performed. This document explains
the commands used during a Unix authenticated scan -
https://success.qualys.com/discussions/s/article/000006220

To learn more about Unix authentication, please visit:
https://www.qualys.com/docs/qualys-authenticated-scanning-unix.pdf

17
 Lab 4 - https://ior.ad/7LHq


Lab 5 - https://ior.ad/7LHp


Lab 6 - https://ior.ad/7LHr


The above labs will teach you how to create authentication records for Windows
and Unix, and how to launch an authenticated scan.

18
LAB 7: Agentless Tracking and Merging
With Agentless Tracking Identifier, you can track hosts by host ID instead of relying
on the IP address or DNS name or NetBIOS name to identify the host.

When enabled, Qualys will write a unique host ID on Windows and Unix hosts
during the scanning process and report on the host ID for the current and future
scans of the same host.

This provides a scan option for those who want to scan systems with multiple IP
addresses and parse the results to consolidate all vulnerability data for a unique
host ID.

Before using Agentless tracking identifier, the Manager primary contact of your
subscription must enable the feature.

19
After accepting the use of Agentless Tracking identifier, you can enable it at the host
level when you’re creating Windows or Unix authentication records:

Agent Correlation Identifier

Agent Correlation Identifier allows you to merge unauthenticated and authenticated
vulnerability scan results from scanned IP interfaces and agent VM scans for your
cloud agent assets. The Agent Correlation Identifier is supported for VM only and is
detected by QID 48143 “Qualys Correlation ID Detected”.


Data Merging

20


The following data merging options are available:

1. Do not merge data - Data collected from agents are displayed separately
from data collected by scanner appliances. Hosts with IP tracking enabled
will display separate asset records for all scanned interfaces.

2. Merge data by scan method - When combined with the Agentless Tracking
Identifier, option two merges data collected from all scanned interfaces (i.e.,
IP tracking enabled) into a single asset record.

3. Merge data for a single unified view - Data collected from agents are
merged with data collected from scanner appliances into a single unified
view.

4. Enable smart merging - Option three will be automatically selected for
hosts with agents installed. Option one will be used for hosts without
agents.

When option number three is selected, SCAN data and AGENT data are merged into
a single unified view.

Lab 7 - https://ior.ad/7LHk

Lab 7 will teach you how to enable agentless tracking to merge data collected by the
scanner appliance and the cloud agent.
21
LAB 8: Scan Results

The amount of time taken for a scan to complete depends on multiple factors:

1. Host type - hosts that provide minimal services will typically scan in less time
than hosts providing multiple services to other assets on your network.
2. Host and network utilization – hosts and network segments that are heavily
utilized typically take longer to scan than those that are not.
If possible, it’s a good idea to schedule your scans for low host and network
utilization periods.
3. Number of scanners - adding multiple scanner appliances to a scan task will
typically complete scans sooner than using a single scanner appliance.
Also, hosts close to a Qualys Scanner Appliance (with a limited number of hops)
will reduce latency and improve scan performance and overall scan time.
4. Option Profile settings - the settings that you configure in your scanning Option
Profile can be designed to increase scan performance and reduce overall scan
time.

Identify hosts taking long to scan:

Use “QID 45038 – Host Scan Time” to identify hosts taking longer than usual to
scan.

22


When you’ve identified the host that is taking longer, use “QID 45426 – Scan
Activity per Port” to determine which port on the host is causing the scan to run
longer.

23
Hosts positioned behind a firewall:

Sometimes hosts may be positioned behind a firewall causing ports to be filtered,
consequently the scan to slow down.

Use “QID 34011 – Firewall Detected” to identify ports that are filtered by the
firewall.

Lab 8 - https://ior.ad/7LHs

Lab 8 will teach you how to generate an authentication report to verify
authentication status. It should be first step after each authenticated scan.

24
LAB 9 - 11: Scan Analysis

Some QIDs can help analyze your scan results. These include:

QID 6 – DNS Host Name

QID 45017 – Operating System Detected
QID 45038 – Host Scan Time
QID 45179 – Report Qualys Host ID Value
QID 45180 – Report Qualys Host ID Access Errors
QID 82004 – Open UDP Services
QID 82023 – Open TCP Services
QID 90194 – Windows Registry Pipe Access Level
QID 90195 – Windows Registry Key Access Denied
QID 105015 - Windows Authentication Failed
QID 105053 - Unix Authentication Failed

To analyze scan results, you can create a search list with the above QIDs.

To create a search list, go to Knowledge Base > Search Lists > New > Static, and add the
above QIDs.

25
After creating a search list, create a Report Template using it.

To create a report template, go to Reports > Templates > New > Scan Template

Add the search list to the report template.

After creating the template, run a report using it.

26



Lab 9 - https://ior.ad/7LHt


Lab 10 - https://ior.ad/7LHu


Lab 11 - https://ior.ad/7LHv

The above labs will teach you:
• how to create a custom search list with the required QIDs for scan analysis
• how to add the search list into a report template
• and, how to build a report using the template.

27
LAB 12 - 14: Scan Types

Organizations can use different types of scans to achieve different objectives.

As an example, we recommend the following three types of scans:

1. Certification or Accreditation scans:

o The goal is to ensure that assets meet a baseline of security requirements before
being moved into production
o Typical items to check for include default/vendor-defined passwords, open
ports, unnecessary software, missing patches etc.
o Recommended Option Profile settings:
§ Full scan – All ports
§ Password brute-forcing enabled
§ Complete vulnerability detection
§ Authentication enabled
o Fix identified issues and rescan to ensure that the host meets the baseline before
moving into production

2. Discovery or Inventory scans:

o The goal is to perform lightweight scans to collect metadata for asset inventory
and discovery purposes
o Should ideally include all hosts on the network
o Being a light scan, it may be performed frequently to maintain an up-to-date
inventory
o Recommended Option Profile settings:
§ TCP Ports – 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445, 515, 1433,
1521
§ UDP Ports - 53, 111, 135, 137, 161, 500
§ Custom vulnerability detection includes:
• Windows authentication results
• Unix authentication results
28
 § Include “basic host information checks”
§ Authentication enabled
o Note – use the pre-defined Option Profile named “Light Inventory scan”

3. Assessment scans:
o The goal is to perform a thorough assessment to detect and mitigate
vulnerabilities
o Should be performed frequently
o Should include all hosts in the network
o Recommended Option Profile settings:
§ Standard Scan – 1900 TCP and 180 UDP ports
§ Complete vulnerability detection
§ Authentication enabled

Lab 12 - https://ior.ad/7LHC


Lab 13 - https://ior.ad/7LHE


Lab 14 - https://ior.ad/7LHF

The above labs will teach you how to configure different types of scans –
certification/accreditation scan, inventory scan, and assessment scan.

29
LAB 15 - 16: Scanning Cloud Agent
hosts

The Cloud Agent cannot detect a small percentage of vulnerabilities because it is locally
installed on the host and hence cannot execute remote-only checks.

An example is QID 38123 – OpenSSL SSLv2 Malformed Client Key Remote Buffer
Overflow Vulnerability

Such vulnerabilities can only be detected by scanning with an appliance.

To achieve 100% scan coverage, you should scan your Cloud Agent hosts with a scanner
appliance.

To save scan time and prevent duplication of effort, you can include only those QIDs
that the Cloud Agent cannot detect.

To do so, follow these steps:

1. Create a dynamic search list of all QIDs that the Cloud Agent can detect

2. Create an Option Profile that includes all vulnerabilities except those detected by
the agent (exclude search list created in Step 1)

30
 3. Run a vulnerability scan with the Option Profile created in Step 2.

Lab 15 - https://ior.ad/7LHG


Lab 16 - https://ior.ad/7LHH

The above labs will teach you how to create a custom search list for agent-
detectable QIDs, and then exclude it from a scan.
31
LAB 17 - 18: Delegation scan tasks
Each Qualys user is assigned a pre-defined user role which determines what actions the
user can take.

The most privileged users are Managers - they have full privileges and access to all
assets in the subscription.

Scanners have limited permissions on their assigned assets. Scanners can launch scans.

By assigning the “scanner” role to users, you can permit them to launch scans on assets.

To delegate scan permissions:

1. Create a user with the “scanner” role

2. Assign asset groups to the user’s profile

32
When the user logs in, they will have permissions granted by the role and can access the
configured assets only.

Lab 17 - https://ior.ad/7LHI


Lab 18 - https://ior.ad/7LHJ

The above labs will teach you how to create a new user with the Scanner role, and
how a user with Scanner role can launch a scan.

33