SSBP Lab Tutorial Supplement 2Q 2023 V2

Scanning Strategies and Best Practices
(SSBP)
Lab Tutorial Supplement
Copyright 2023 by Qualys, Inc. All Rights Reserved.

Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other
trademarks are the property of their respective owners.
Qualys, Inc.
919 E Hillsdale Blvd
4th Floor
Foster City, CA 94404
1 (650) 801 6100
SSBP Lab Tutorial Supplement 1

Table of Contents
ADDING SCANNABLE HOSTS ....................................................................................................................................... 3
SCAN TYPES AND RECOMMENDED SETTINGS ......................................................................................... 4
Perimeter Scan .................................................................................................................................................................................. 4
On-prem Scan ..................................................................................................................................................................................... 5
Cloud Scanning – VM/VMDR ....................................................................................................................................................... 6
Cloud Perimeter Scan – Connectors App ............................................................................................................................. 10
SCHEDULING SCANS ..................................................................................................................................................... 13
AUTHENTICATION ........................................................................................................................................................ 15
Authentication Record ................................................................................................................................................................ 15
Privileged User Accounts ............................................................................................................................................................ 17
MONITORING AUTHENTICATION ............................................................................................................................ 19
Checking Authentication Upfront........................................................................................................................................... 19
Monitoring Finished Scans ........................................................................................................................................................ 19
VIRTUAL SCANNER APPLIANCE DEPLOYMENT .................................................................................................. 23
DELEGATING SCAN ACTIVITIES ............................................................................................................................... 26
IP-based scoping ............................................................................................................................................................................ 26
Tag-based scoping ........................................................................................................................................................................ 27
IMPROVING PERFORMANCE ..................................................................................................................................... 30
Scan Performance Settings ....................................................................................................................................................... 30
Reporting Scan Time .................................................................................................................................................................... 31
SCANNING CLOUD AGENTS ........................................................................................................................................ 34
AGENTLESS TRACKING IDENTIFIER & UNIFIED VIEW ..................................................................................... 36
Agentless Tracking Identifier ................................................................................................................................................... 36
Agent Correlation Identifier ..................................................................................................................................................... 37
Unified View ..................................................................................................................................................................................... 39
APPENDIX A: MAP SCAN ............................................................................................................................................. 41
APPENDIX B: ADDITIONAL OPTION PROFILE SETTINGS ................................................................................ 45
Authoritative Option for light scans...................................................................................................................................... 45
Close Vulnerabilities on Dead Hosts ...................................................................................................................................... 45
Purge old host data when OS is changed ............................................................................................................................ 46
Password Brute Forcing ............................................................................................................................................................. 46
Lite OS Scan...................................................................................................................................................................................... 47
Add a Custom HTTP Header Value ........................................................................................................................................ 48
Host-Alive Testing ......................................................................................................................................................................... 48
Do not overwrite OS ..................................................................................................................................................................... 49
Use System Authentication Records ...................................................................................................................................... 49
APPENDIX C: DEBUG SCAN ......................................................................................................................................... 50
APPENDIX D: MAXIMUM SCAN DURATION PER ASSET .................................................................................... 52
APPENDIX E: CERTVIEW SCAN ................................................................................................................................. 54
APPENDIX F: STATIC ROUTES................................................................................................................................... 57

Adding Scannable Hosts
This section is a review. Before you can scan, IP addresses must be added to the account
subscription. These IP addresses are your scannable hosts. The IP addresses can then be
organized into Asset Groups, which can be used as scan targets or report sources.
When adding the IP addresses, you will choose the tracking method. This is how the Qualys
Platform tracks vulnerability findings for the host. For example, if the host has multiple IP
addresses, you can use DNS Tracking to consolidate the findings for the host into a single
record in your reports. Another example will be if the IP address changes over time, DNS or
NetBIOS tracking is a better option.
The tracking method for a host should remain consistent over time. If it changes, the best
practice would be to purge the asset data and run new scans for the host.
Agentless Tracking uses the Qualys Host ID to track findings. This is the recommended
practice after you have added the hosts initially. See the later section for a more detailed
discussion on Agentless Tracking.
Navigate to the following URL to view the Adding Scannable Hosts tutorial:
https://ior.ad/93qw
This lab is optional in the instructor-led course.

Scan Types and Recommended Settings
The section will identify the scan types and recommended settings that can be used for a
set-and-forget scan strategy for your organization.
Perimeter Scan
This scan identifies vulnerabilities that an attacker would see from the Public Web.
The main settings to include in this profile include:

• Full scan setting for both TCP and UDP
• Complete Vulnerability Detection
• Load Balancer Detection
• Use a custom HTTP header to identify Qualys scanner traffic in your web logs
• For large account subscriptions that can use multiple external scanners, include
these additional settings:
o Enable parallel scaling
o Custom Overall Performance (30 external scanners, 20 Total processes, and
20 HTTP processes)
By default, most account subscriptions will only use one external scanner from the pool.
Large account subscriptions will already include parallelism with multiple external scanners.
You can contact your account representative to enable this feature. If your account has this
enabled, include the additional performance settings.
To run this scan, you will organize your external-facing IP addresses into separate Asset
Groups and use them as targets. It is recommended to treat Qualys as any other potential

attacker. This way, you get the best representation of your external attack surface's
vulnerability.
Navigate to the following URL to view the Perimeter Scan Option Profile tutorial:
https://ior.ad/93qc
On-prem Scan
This is to identify vulnerabilities as a rogue actor would see from within your company’s
internal infrastructure.
The main settings to include in this profile include:

• Standard scan setting for both TCP and UDP
• Add additional ports specific to your environment
• Complete Vulnerability Detection
• Authentication
• Load Balancer Detection
• Additional Certificate Detection
• Dissolvable Agent
• Enable parallel scaling
• Custom Overall Performance (50 internal scanners)

• Use a custom HTTP header to identify Qualys scanner traffic in your web logs
This is an authenticated scan to not only identify vulnerabilities but also to identify and
verify patching. The Standard port list is the best list available. You would add any additional
ports that are specific to your environment.
Navigate to the following URL to view the On-prem Scan Option Profile tutorial:
https://ior.ad/93qd
Cloud Scanning – VM/VMDR

Cloud scans work with connectors you have added to your subscription. A connector
grants Qualys access to your EC2 instances by assuming the IAM role you provide during the
connector creation. This provides visibility into your cloud infrastructure.
You can create an EC2 connector within the Qualys Connectors app module. The connector
uses APIs to query metadata from the cloud provider account.

Cloud Agents will automatically assess vulnerabilities and compliance if deployed in your
EC2 instances. EC2 instances can also be scanned for vulnerabilities and compliance. You
can launch Cloud Perimeter or EC2 Scans from VM/VMDR.
You will have a selection of AWS or Azure for Cloud Perimeter Scanning.

Here you can see the Perimeter Scan Option Profile from the earlier lab is selected.
Target Hosts is where the connector is selected. The scan job will only use the connector if
you do not add the platform, region, or tags. All EC2 VPCs in the US West are targeted in the
example above.

By default, a Cloud Perimeter Scan will use the Qualys external scanners. This will scan
publicly-exposed EC2 instances discovered by the container.
EC2 Scan – VM/VMDR

The use case for this scan type would be for scanning EC2 instances within a private network
of your cloud environment.
You can select specific instance IDs (with or without tags). Qualys will check if the instance
ID is valid when the scan is launched. Any invalid instance IDs will get skipped.

Virtual scanner appliances must be deployed within this private network space of your cloud
environment. They must be able to reach the private EC2 instances you intend to scan for
vulnerabilities. To scan these EC2 instances, you must allow the virtual scanner to see all
ports of each instance. Do this by adding inbound rules to the security group. Allow the
Qualys virtual scanner to scan all ports of the EC2 instance.
Cloud Perimeter Scan – Connectors App

Perimeter scanning is integrated into the Qualys Container app module. This will allow
external scanners to scan publicly-exposed EC2 instances discovered by the connector (just
like the VM/VMDR Cloud Perimeter Scan).
Here you can see that the assets discovered by this connector will be
automatically activated for VM Scanning. The Cloud Perimeter Scan has
also been selected, and these discovered EC2 instances are tagged.

Under the Scans section of the Connectors app, you can set a global scan configuration.
Here you can see the Perimeter Scan Option Profile used previously is selected.
You can launch the Cloud Perimeter scan right from the Quick Actions menu of specific
connectors. It will then use the global scan profile.

Once you start the Cloud Perimeter Scan, you can see the scan job by viewing the connector
details.
Navigate to the following URL to view the Cloud Perimeter Scan tutorial:
https://ior.ad/93q9

Scheduling Scans
The section will cover setting up regular scheduling your organization can rely on for
vulnerability assessment.
Scans can be scheduled daily, weekly, and monthly. The best practice is to schedule
Perimeter scans as close to daily as possible, and On-prem scans as close to weekly as
possible. This has been identified by Qualys SMEs and teams in the field working with
customers.
The Manager primary contact can enable the Relaunch on Finish option. There is a use case
for this option. At first, this might sound highly inefficient as it will create a permanent

network load. There is a use case here for scanning the external attack surface. The best
practice is to scan external-facing IPs as close to daily as possible. Depending on the number
of IPs in the targeted Asset Group, your Perimeter Scan might take two or more days to
complete. In this case, you could schedule your Perimeter Scan to relaunch on finish to get
as close to daily as possible. Of course, it is also possible to do benchmarking and divide the
assets into multiple groups, tune scan performance settings, and stagger multiple scans to
finish each scan in one day. There are multiple solutions here; relaunch on finish is just one.
Calendar viewing will show completed scans. You will be able to see how long the scan took
to finish. This is an important data point to use when you schedule reports. Reports should
be scheduled to run after the latest scans finish. That way, you are reporting the latest
information Qualys has.
The Add to my Calendar button will display a link to use in a calendar app like Outlook Your
calendar app will need to support the iCal format (Internet Calendaring and Scheduling Core
Object Spec).
Click the following URL to view the Scheduling Scans tutorial:
https://ior.ad/93qC

Authentication
This section will cover the setup of Authentication Records to perform authenticated scans.
Authentication Record
Vulnerability scanning is a privileged operation. Admin privileges are needed to add
absolute certainty to the findings. Authentication also ensures the enumeration of software
applications on the host system.
Within the Option Profile, you will enable Authentication. The scanner will then pull
credentials for the host from the Authentication Records.

An authenticated scan needs authentication enabled in the Option Profile and an
Authentication Record. As seen above, records with credentials are set up under the
Authentication tab. Qualys also supports integration with third-party vault services.
Local Windows and Unix Authentication Records will need assets assigned by IP address.
The IP address can be added manually or by selecting an Asset Group or Asset Tag. If you
use Asset Tags, the IP addresses with the assigned tag will be associated with the
Authentication Record, and the Tag-to-IP is resolved at scan launch time. This will lengthen
the scan time. You do not need to select assets for Authentication Records using Windows
Active Directory or NetBIOS Service-Selected IPs.

The tag used in the lab tutorial uses an IP Address in Range(s) rule to identify the entire
10.10.10.0/24 subnet.
More information on Tag Support for Authentication Records can be found here:
https://qualysguard.qualys.com/qwebhelp/fo_portal/authentication/tag_support.htm
Privileged User Accounts

The Windows Administrator or Unix/Linux root user accounts should not be used in the
Authentication Records. Instead, make accounts that only the Qualys scanner will use, not
for interactive logins. The Windows account can be added to the Administrators group, and
root delegation can be used for Unix/Linux.
The scanner must be able to pull information from the Windows registry. If Remote Registry
Service is disabled, you must enable Dissolvable Agent in the Option Profile. QID 90194 in
the scan results will reflect if a target host has Remote Registry Service disabled.
The Dissolvable Agent preceded the Qualys Cloud Agent. They are not the same. The
Dissolvable Agent is very slim and looks explicitly for registry keys that the scanner needs
but are blocked by disabling Remote Registry Service. All agent traces are removed when
the scan on the host is complete.
Be careful with the SMB signing checkbox on the Windows Authentication Record. As you
can see in the picture, it is for legacy Windows versions and is host dependent. The setting
will lower performance and cause bad login messages if using the record with hosts that
don’t support it. It is recommended to keep this off.

To prevent MITM attacks where someone tries to prompt the Qualys scanner for a
password, you can use Public/Private key pairs. The most optimal selection is to use RSA or
DSA. The key should be created on the host using the ssh-keygen command. This will
ensure the keys are PEM-encoded. A scanner account must still be added to the host. The
public key goes into the authorized_keys file locally, and the private key gets added to
the Authentication Record.
These are additional resources to reference:

• Supported authentication technologies for VM and PC:
https://success.qualys.com/support/s/article/000006761
• Windows authentication set up:
https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/authentication/win_
windows_record.htm
• Unix authentication set up:
https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/authentication/win_
unix_record.htm
• Privileged commands used during Unix authenticated scanning:
https://success.qualys.com/discussions/s/article/000006220
• Whitepapers that address requirements and configurations for other OS,
applications, and vault services: https://www.qualys.com/documentation/#scan-
authentication
Navigate to the following URL to view the Authentication Records with the IP Range Tag
tutorial:
https://ior.ad/93qG

Monitoring Authentication
This section will cover methods that can be used to monitor if scans are completed using
authentication.
A best practice is to run authenticated scanning for internal assets and monitor if scans are
completed using authentication.
Checking Authentication Upfront

A separate Option Profile can be made with Test Authentication enabled. This gives a way to
check authentication upfront before your formal scanning is started.
Only authentication testing will be done using an Option Profile with this checkbox enabled.
It is narrowed in scope to only QIDs related to authentication. No vulnerability detection will
be attempted. Some Qualys subscriptions are Pay Per Scan. It can be costly to run a scan to
learn that many target hosts failed authentication. This does not count against Pay Per Scan.
Monitoring Finished Scans

After a scan completes and you have scan results, there are a few ways to monitor
authentication.

Clicking on the Details of each Authentication Record, you will be able to see if the scanner
successfully logged into each host on the last finished scan.
For many scan targets, checking the status of every Authentication Record would require
some effort. A second way would be to run an Authentication Report after your scan
finishes.
The Authentication Report is a best practice because not everyone can view the Qualys UI to
see the dashboard or query data. This type of report can be scheduled to run just after your
regular scan jobs are complete. From this report, you can confirm the Status of each host.
The last way to monitor would be to develop queries for the specific Information Gathered
QIDs related to authentication. These queries can then be turned into widgets for
monitoring on your dashboard.

The following are example queries that can be used:
• Windows auth successful: vulnerabilities.vulnerability.qid:70053
• Windows auth failed: vulnerabilities.vulnerability.qid:105015

• Linux auth successful: vulnerabilities.vulnerability.qid:38307
• Linux auth failed: vulnerabilities.vulnerability.qid:105053
Here you can see how to turn a query into a widget. This combo query produces a dataset of
all Linux or Unix hosts that failed authentication on the latest scan.
There are many prebuilt dashboards on the Qualys Community that you can import. This
can save you time since editing widget queries would be faster than creating a dashboard
from scratch.
The following is a prebuilt dashboard for monitoring Windows authentication:

https://success.qualys.com/discussions/s/article/Dashboard-Toolbox-Unified-Dashboard-
Windows-Authentication-Management-v1-4

The Subscription Health dashboard that you will see in the lab tutorial is from a template in
the dashboard app library. It includes widgets that report most of the information covered
in this course.
Navigate to the following URL to view the Subscription Health Dashboard tutorial:
https://ior.ad/95va

Virtual Scanner Appliance Deployment
This section will cover the deployment of a virtual scanner appliance.
Deployment of the physical or virtual scanner appliance is similar. The appliance will have a
WAN port that needs IP settings to reach back to the Qualys Cloud Platform.
Communication occurs on TCP 443. There is also a LAN port on the appliance that will need
IP settings to reach scan targets.
The physical scanner hardware will have an LCD panel that displays a personalization code.
When adding a new Scanner Appliance, you will need this code for the physical scanner to
latch to your subscription.

You will use the wizard to deploy when adding a new Virtual Scanner Appliance. It will
prompt you to choose a Virtualization Platform. The matrix of supported virtualization
platforms can be found here:
The Platform will generate a personalization code that you will add to the virtual machine’s
console.

After personalization completes and the virtual appliance latches, you will see it in the list of
appliances. You can edit the appliance on the Quick Actions menu to add Asset Tags.
Scanners that remain connected to the Qualys Platform will synchronize their code and
signatures automatically. There is a heartbeat check performed on every scanner appliance
every 4 hours. This ensures they are online, ready to process scans, and can obtain software
updates. You can set up email notifications if the scanner misses a specific number of
heartbeat checks. The default polling interval is 180 seconds, which governs how often the
scanner appliance polls the Qualys Platform for new information. It can be set to a value
between 60 to 3600 seconds.
Navigate to the following URL to view the Virtual Scanner Appliance Deployment tutorial:
https://ior.ad/95Dm

Delegating Scan Activities
This section will cover ways to assign assets to Qualys users to delegate scan activities.
Qualys users will have predefined user roles. The Manager user is the most privileged.
Scanner users can launch vulnerability and map scans on assets that they have been
assigned. This will allow you to delegate scan activities to other Qualys users and not rely on
the Manager to do everything. The Qualys external scanners are usable by all user roles that
can run scanning activities; no scoping is required.
IP-based scoping
You can assign the Scanner user to an Asset Group. This is one way to allow them access to
hosts to scan.

Within the Asset Group, you must add scanner appliances for the Scanner user to scan the
group. This is IP-based scoping user access.
Tag-based scoping
Tag-based user scoping allows for assigning visibility to objects via tags. This gives you more
flexibility, like if devices roam or have unpredictable IP addresses. Contact support or your
account representative to request Asset Tag Scoping for a subscription.

Using the Administration Utility, the Manager user can assign tags to a Scanner user to
define their scope. The user’s scope will be derived from all the assigned tags as a union
added to the assigned Asset Groups.
This function is evolving. Currently, scannable IP addresses must be available to the Scanner
user via Asset Group or Business Unit assignment. In a future release, only tags will be
needed to assign assets. Any tag can be used and tag inheritance is fully supported. It is
recommended to use a combination of Asset Group, Business Unit, and Agent Activation
Key Tags to grant visibility. An improperly scoped Dynamic Tag could enable users to see
assets beyond their intended scope. If you add the Asset Group Tag, remember to also add
the appropriate scanner appliances to the Asset Group.
Extended Permissions
As a general strategy to keep scan data consistent over time, you can restrict Scanner roles
from creating Option Profiles. Changes to the Option Profiles can impact the consistency of
data you run reports on.

The Manager user can create Option Profiles for your primary scans and make those globally
available. You can edit the user’s extended permissions and prevent Scanner users from
creating profiles. This will prevent ad hoc changes to the scan settings and maintain
consistency over time.
Click the following URL to view the Delegating Scan Activities tutorial:
https://ior.ad/93qo

Improving Performance
This section will cover improving the time required to complete scan jobs.
Scan Performance Settings

Within the Option Profile, you can customize performance settings.
A baseline using the recommended Perimeter and On-prem Option Profiles should be done
first. With that data, then you can further tune the performance settings here. With optimal
scanner placement and scheduling, tweaking these settings can further speed up scan jobs.
Below describes each setting:

• Overall Performance has High, Normal, and Low settings. Normal is a balance of
scan intensity and speed. High is a setting meant for a small number of scan targets
or scanning a single IP address. Low is optimized for highly utilized networks or low
network bandwidth connections. The Custom setting will allow you to modify the
presets (e.g., you can go lower than the Low setting). Again, the recommendation
would be to use the settings from earlier in this course, obtain a baseline, and then
tune from there.
• Hosts to Scan in Parallel sets a maximum number of hosts to scan simultaneously.
This can be set for different values for external and internal scanner appliances. The
setting can impact network bandwidth and the performance of networking gear
between the scanner and its targets.

• Processes to Run in Parallel sets the maximum number of processes to run
simultaneously per host. This increases the volume of data generated and sent to
target hosts. The setting for HTTP cannot exceed the Total. Having a separate setting
for HTTP allows you to lower the number of HTTP processes if web servers cannot
handle many requests sent to them in a short period.
• Packet Delay is the delay between groups of packets sent to each host. A short delay
means packets are sent more frequently, thus shortening the scan time. A maximum
setting will result in packets being transmitted less frequently and lengthen the scan
time.
• Port Scanning and Host Discovery determines how many ports and host discovery
tasks are done in parallel. Port scanning and host discovery phases of the scan place
the highest burden on firewall state tables. Lowering the intensity is a way to
prevent saturating a firewall’s state table.
• Enable parallel scaling for Scanner Appliances will allow the Platform to dynamically
scale the number of Hosts to Scan in Parallel at scan time. It can be useful when you
have a mixture of scanner appliances with different performance characteristics
(e.g., CPU and RAM). It is a recommended setting, and if network conditions are
favorable at scan time, this can act as a booster.
Reporting Scan Time

You can scan as many targets as you wish. There is no upper limit; it will just lengthen the
time to complete the scan job. The best practice is to use multiple scanners and deploy
additional appliances as needed.
Scan performance refers to the time it takes to complete a scan job. Having a reasonable
expectation of scan time will require benchmarking within your environment. To improve
scan performance, you can reduce the number of targets, reduce the port coverage, reduce
the number of vulnerabilities to scan for, or deploy more scanners.
The lab tutorial will show how to set up a Search List of QIDs to monitor scan performance.
QID 45006, 45038, and 45426 will be added to a static Search List in the lab tutorial. The
slide deck includes even more QIDs that could be useful. Treat this QID list as a starting
point that you add to over time to benchmark scans within your environment.

QID 45006 can help by showing the added latency between the scanner and the target from
the routing layers.
QID 45038 will show the total time spent scanning that target host.

QID 45426 will show the time taken to scan each open port.
You can use this information to identify slow hosts or ports. You can also get insight into
whether the scanner needs to be moved closer to the targets or if more scanners are
needed for the scan job. Adding multiple scanners to a job can reduce the time. The Qualys
Platform breaks up the scan job into slices and distributes the slices to scanners based on
available capacity.
Monitoring scan time is a practice you will want to do over time. This is not only to tune
performance settings but also to alert you to issues. This can be done with the API, QQL, or
running a custom report, as seen in the lab tutorial.
The API can capture the “Previous Duration” information of your scheduled scans. This
information can be stored in a spreadsheet to sort/group scan performance over time.
Some examples of using the API to obtain scheduled scan information can be found in the
API User Guide:
https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf
A prebuilt dashboard for monitoring scan time can be found here:

Click the following URL to begin the Reporting Scan Time tutorial:
https://ior.ad/93qt

Scanning Cloud Agents
This section will cover the use case of running a supplemental scan against a Cloud Agent
host.
The Qualys Cloud Agent is not meant to be a replacement for scanning. It complements
scanning and provides features like Patch Management and File Integrity Monitoring. It
installs as a thin service on the host’s operating system. It can find almost everything in the
Qualys KnowledgeBase for devices like desktops and endpoint systems.
QIDs with Remote Only Discovery Method in the Qualys KnowledgeBase require a network
connection to detect/confirm the vulnerability. The Cloud Agent cannot create networking
connections back onto the asset to assess every hosted service.
This presents a use case for running a supplemental scan against a Cloud Agent host. It
would be a recommended practice for assets that host networking services. Also, running a
supplemental scan will maximize the KnowledgeBase coverage.
Begin by building a Search List of all QIDs that the Cloud Agent can assess. These can be
defined by creating a dynamic list that selects all the “CA” supported modules.

In the Option Profile for this scan, select Complete Vulnerability Detection and then exclude
the Search List. This will narrow the scan to only the QIDs that Cloud Agent cannot assess.
Authentication can be used for the scan, but it is not necessary.
Cloud Agent host IP addresses need not be added to the subscription. When choosing the
scan target Asset Tag or IP range, use the checkbox to Temporarily add agent addresses. IP
addresses of the agent hosts will be added to the scan job if they are not in the subscription.
You must select internal scanner appliances that can reach the agent IP addresses.
It is recommended to do this type of scan from a Manager account since Cloud Agents
cannot be IP-based scoped to a Scanner user role.
Click the following URL to begin the Scanning Cloud Agents tutorial:
https://ior.ad/93qh

Agentless Tracking Identifier & Unified View
This section will cover the recommended practice of enabling the Agentless Tracking
Identifier and merging data for a unified view.
Agentless Tracking Identifier

Accepting the Agentless Tracking Identifier is a recommended practice for dynamic
environments. Only the Manager primary contact for the subscription can make this change.
A UUID that sticks to the host will track your scan targets' findings. This UUID is called the
Qualys Host ID.

With Agentless Tracking enabled in the Authentication Record, the Qualys
Host ID is written to the Windows registry at HKLM\Software\Qualys. In
Linux, the value is stored in a file in /etc/qualys/hostid. A Unix
Authentication Record will allow you to choose a different path.
Agent Correlation Identifier

The previous section covered the use case of running supplemental scans
against a Cloud Agent host. The scan can be authenticated or
unauthenticated.

A Cloud Agent host produces a Correlation ID that can be seen in the View
Asset Details – Agent Summary screen.

In the Configuration Profile of the Cloud Agent, you must Enable Agent Scan
Merge. The port list will use the first available to expose the Correlation ID.
This ID will be seen in the scan results (assuming the ports are included in
the Option Profile).
Accepting the Agent Correlation Identifier will allow the Qualys Platform to
correlate the scan results of Cloud Agent scans (authenticated or
unauthenticated). Your data merging selection determines what happens
with these correlated scan results.
Unified View
Enabling Merge data for a single unified view will result in a single asset
record that includes agent and scan data. By default, the Platform does not
merge scan and agent data; it keeps these separate.

There is a Qualys Community article covering the different merging options for several
different scenarios:
https://success.qualys.com/support/s/article/000006543
Click the following URL to begin the Agentless Tracking ID and Unified View tutorial:
https://ior.ad/93pH

Appendix A: Map Scan
This section will cover the map scan and compare/contrast with the Qualys Passive Sensor.
Most scanning activity will be for vulnerabilities. The use case for this type of scan is
discovery and finding what is alive in the network. Since this is only discovery, the scan itself
will finish quickly. It can be used to identify hosts that have stopped responding so that you
can purge their data or rogue devices that should not be on the target network.
Compared to the Qualys Passive Sensor:

• Map scanning precedes the Passive Sensor. It is not meant to be a substitute and has
fewer use cases and features than a Passive Sensor.
• The map scan is a directional discovery from the scanner appliance toward a target
IP range. This differs from a Passive Sensor that gathers data outward in all
directions looking at the network stream traversing your switching infrastructure. It
does this by having a network interface operating in promiscuous mode.
• Map scanning is an on-demand discovery of information about a target network your
scanner can reach. The scan job is set up and run in one shot. To contrast, a Passive
Sensor requires a ramp-up period, and hosts must communicate actively. It is this
narrow area where there is a use case for map scanning.
Option Profile
The Map section of the Option Profile is used as the preferences of the map scan.

ICMP, TCP, and UDP probes are used to map the target network, just like the host discovery
module of a normal scan. DNS reconnaissance is included by default. It includes Domain
Lookup, DNS Zone Transfer, DSN Brute Force, and Reverse DNS Lookups.
If an Authentication Record is available for ESX/ESXi, the detection capabilities can be

extended further into hypervisor layers.
Map Report
The flags displayed in the Map Report are listed below:
• S – this will be displayed for a host if the IP has already been added to your
subscription
• L – this will be displayed for a host if there was a reply to the discover probes; the
host is ALIVE
• N – this will be displayed for a host if the IP address is in the netblock that you
supplied as the target of the map scan
• A – this is a marker for you to mark devices approved so that on the following map
scan, you will see the A flag for them if they are rediscovered

In the example above, the routers between the scanner appliance and the target IP domain
are marked as Approved Hosts. The following map scan will rediscover these routers, and
the A flag for them will be set. This will make things easy to determine rogue hosts
discovered between map scans that should not be there. Those rogue devices would show
up with no S or A flags set.
From the Actions menu, you can add IPs to your subscription, add to Asset Groups, launch
additional scanning, or purge.
Graphic Mode – Tree View

Using Tree View of the map scan graphic mode reflects that a map scan is directional. It is a
discovery originating from the scanner appliance toward an IP network. Intermediate
devices are discovered between the scanner and the target network; in this case, the
devices are routers.

The viewing of graphic mode can be changed to Radial, which views the map scan in
concentric orbits starting from the scanner appliance.

Appendix B: Additional Option Profile
Settings
This section will cover other option profile settings that are less commonly used.
Authoritative Option for light scans

This checkbox is for Qualys users using the standard scan setting but now want to move to
the light scan option. By doing this, over 1700 TCP and 150 UDP ports are lost in scan
coverage.
The user is accepting the trade-off of less coverage for quicker scanning. By checking the
checkbox, the user permits Qualys to mark previously detected vulnerabilities as closed.
This does not fix the vulnerabilities; the checkbox can only be selected with Light scans.
The previously open findings will be closed if the QID is targeted but not detected or if the
QID cannot be executed because the port is no longer in the list to be scanned. When two
instances of the same vulnerability exist on multiple ports, each is evaluated independently.
If you run Light scans with this option, you should continue to run scans the same way
moving forward. Returning to standard or full port scanning could lead to unexpected
vulnerability statuses or trends. It is not recommended that you run Light scans with this
checkbox selected if you have standardized on full and standard scans in your organization.
This could cause the vulnerability status to change unexpectedly and affect report data.
Close Vulnerabilities on Dead Hosts

This checkbox can provide some automation to quickly close vulnerabilities for hosts that
are not found alive after a set number of scans. It can only be enabled with Full or Standard
scans.

Existing tickets associated with dead hosts will be marked as Closed/Fixed when enabled.
The vulnerability status will be marked as Fixed.
This feature must be enabled for your subscription. You can contact your account manager
or support to get it.
Purge old host data when OS is changed

This checkbox can provide some automation if you have regularly decommissioned or
replaced systems.
When enabled, the host will be purged if a change is detected in the host’s operating system
vendor. For example, if the OS changes from Linux to Windows or Debian to Ubuntu. The
host will not be purged for an OS version change from Linux 2.8.13 to Linux 2.9.4.
This feature must be enabled for your subscription. You can contact your account manager
or support to get it.
Password Brute Forcing

This setting can be used to check the security hardening of scan targets.
Common targets of brute force attacks are FTP, SSH, and Windows hosts. The System
checkbox includes levels ranging from Minimal to Exhaustive. Qualys will attempt to guess
the password for each detected login ID on each target host scanned.
The levels of testing:

• Minimal: Qualys will attempt to access the user database (through authentication or
anonymously). If this is successful, Qualys will check that the usernames do not have
blank passwords. If the user database is not accessible, then only the Administrator
and Guest accounts will be checked.

• Limited: The same methodology as Minimal will be used. Additional tests will be
done to check that the username and password differ.
• Standard: This includes the previous levels of testing with up to 60 different
passwords for each login ID. It is like a dictionary attack. Only Administrator and
Guest accounts will be checked if the user database cannot be accessed.
• Exhaustive: This expands off the Standard level to include dynamically generated
passwords. It will increase scan time, and the additional checking will depend on
how fast the scan target responds to requests.
Choosing Custom will allow you to configure your own login/password combinations to look
for.
Setting up a specific Option Profile is recommended to check security hardening. This will
make scans longer. Also, this setting will trigger lockout policies, a security best practice on
assets in a production environment.
Lite OS Scan
Authenticated scans are the best practice. This setting is for scans running without
authentication, and QID 45017 is present.
A scan without authentication cannot accurately determine the exact version of the
operating system. It must rely on fingerprinting methods like banner grabbing or probing
telnet during the information-gathering phase.

Selecting this checkbox will remove some fingerprinting methods considered “expensive”
(take a long time with a low probability of success). The following will be removed from OS
discovery methods: Telnet, MSRPC, NTP, VMWare ESXi web service, and HTTP: PHP-based
information.
Add a Custom HTTP Header Value

Qualys scanning will target Web and application servers with HTTP traffic. This option allows
you to add a custom HTTP header to the traffic. Web App and System Admins can quickly
identify and separate traffic generated by a Qualys Scanner Appliance.
This can prevent scan traffic from populating application log files or generating alerts.
Host-Alive Testing
This checkbox allows you to run a quick scan to determine if hosts are alive or dead.
No other scan tests will occur. The use case for this setting is for pay-per-scan customers to
avoid paying to find out that scan targets have connectivity issues.

Do not overwrite OS
Even though authenticated scans are the best practice, there could be a case where
occasional unauthenticated scans are run. Since unauthenticated scans cannot fully
determine the OS version, you do not want the unauthenticated scan to change the OS
attribute for your asset inventory. This could alter dynamic tags based on OS attributes.
The checkbox will preserve the OS attribute from changing. This is for a specific use case of
switching back and forth between authenticated-unauthenticated scanning.
Use System Authentication Records

Using Policy Compliance, you can allow the system to create authentication records
automatically using the scan data discovered from running instances. Then, in VMDR, you
can include those system-created authentication records in scans by selecting “Include
system-created authentication records in scans.”

Appendix C: Debug Scan
This type of scan changes the scanner appliance’s operational mode to Debug for more
verbose logging. It is limited to targeting one IP address. After completing the Debug Scan,
the appliance will automatically revert to normal.
The use case would be to troubleshoot why a target host takes longer than expected to
finish scanning.
The Manager primary contact will be able to enable Debug Scan for the subscription.

Once enabled, you can choose a Debug Scan to scan a single target address. The scanner
appliance that you select will be unavailable until the debug finishes.
Initiating a Debug Scan when the scanner is fully available is recommended. This will ensure
no overlap with scheduled or on-demand scans. If a scan is scheduled to start while a Debug
Scan is running, it will be queued until the debug finishes. This is so that the appliance’s
operational mode reverts to normal.
Complete Vulnerability Detection should be avoided. This is a scan meant for

troubleshooting a single target address. Use an Option Profile with Custom Vulnerability
Detection for the QIDs you wish to troubleshoot. The Option Profile in the picture above is a
Custom Detection for QID 45006, 45038, and 45426. This is an example of troubleshooting
the QIDs related to latency and scan time.
The Debug Modes indicate the logging level you desire:

• Default: This is the lowest logging level. It is meant for issues like Host Not Alive and
determining false positives/negatives.
• Standard: The middle-level logs more than the Default mode. It is meant for Web
application scanning issues.
• Advanced: The highest level is the most verbose. It should be used with less than 20
QIDs and is meant for authentication or OS fingerprinting issues.

Appendix D: Maximum Scan Duration Per
Asset
This setting limits how long a scan can run on a single asset. If the scan of an asset exceeds
the duration specified in the Option Profile, then the scan of that asset will be aborted, and
the job will continue to the next target. This setting is only supported for vulnerability scans.
A Manager user can enable this feature. Once enabled for the subscription, the duration can
be set in Option Profiles.
You will want first to benchmark your environment and get an expectation on how long
each asset takes to scan. The duration can be between 30 to 2880 minutes.
Hosts that exceed the duration will be aborted, and no scan results will be available for the
skipped host.

When viewing the Scan Status, a Hosts Exceeded Duration tab will show which hosts
exceeded the duration.

Appendix E: CertView Scan
There is a use case for activating CertView on assets you own, but you don’t manage. This
could be the case if you rented out applications and needed to maintain visibility of the
asset’s certificates. This section will detail the recommended method to populate the
CertView app with data.
Internal Sites
For your internal assets, the On-prem Scan can populate the CertView app with data. If you
recall, the On-Prem Scan is doing Complete Vulnerability Detection on the Standard port list
with Additional Certificate Detection selected. You will not need a separate CertView Scan
for these internal assets.
You do not add internal sites within the CertView app. Instead, when you add IP addresses
to the subscription, make sure the CertView checkbox is selected. Your On-prem Scans will
populate the CertView app with data about SSL/TLS certificates on these internal IPs.
If you have already added IP addresses, then CertView can be added after the fact using the
Actions button.

Within the CertView app, you will see the IP addresses of your internal assets. From here,
you can launch an ad hoc scan of SSL/TLS certificates, but again this information should be
there from your weekly On-prem Scan. A CertView Scan completes very quickly since it is
looking for a limited set of SSL QIDs in the KnowledgeBase.
External Sites
External asset FQDNs and IP addresses are added in the CertView app.
When adding each IP, you will have the option to add to a weekly scan.

If you want to do an ad hoc scan, you can use the Scan button or the Quick Actions menu.
This avoids having to go into VMDR and set up a CertView Scan.
SSL/TLS certificate data will be shown in the Certificates section of CertView. The Quick
Actions menu will have the option to send a renewal request to DigiCert.

Appendix F: Static Routes
This implementation is very rare, but there could be a case where a scanner is deployed to
scan a target network that is not advertised by your routers. For example, a stub network
with only one way in and not L3-advertised. The scanner would need a static route added to
know about the stub network and a gateway IP address to get there.
The picture reflects a scenario where the scanner is not directly connected to the
10.10.80.0/24 network. This network exists beyond a router that is not the normal gateway;
it is not being advertised, and there is only one way in.
When you edit the scanner appliance in the Qualys Platform, there should be a Static Routes
tab. If you do not see this option, contact support or your account representative to turn on
this function.
You can see the target network is added along with the IP address that can reach the stub
network. This will allow the scanner to reach the 10.10.80.0/24 network.
The newest scanner versions can add up to 4094 static routes. If you use qVSA-2.0.13-1 or
later for the scanner appliance, you can add up to 99 static routes.

SSBP Lab Tutorial Supplement 2Q 2023 V2

Uploaded by

Copyright:

Available Formats

You might also like

SSBP Lab Tutorial Supplement 2Q 2023 V2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSBP Lab Tutorial Supplement 2Q 2023 V2

Uploaded by

Copyright:

Available Formats

Scanning Strategies and Best Practices

Lab Tutorial Supplement

Copyright 2023 by Qualys, Inc. All Rights Reserved.

SSBP Lab Tutorial Supplement 1

SSBP Lab Tutorial Supplement 2

This lab is optional in the instructor-led course.

SSBP Lab Tutorial Supplement 3

The main settings to include in this profile include:

SSBP Lab Tutorial Supplement 4

The main settings to include in this profile include:

SSBP Lab Tutorial Supplement 5

Cloud Scanning – VM/VMDR

SSBP Lab Tutorial Supplement 6

SSBP Lab Tutorial Supplement 7

SSBP Lab Tutorial Supplement 8

EC2 Scan – VM/VMDR

SSBP Lab Tutorial Supplement 9

Cloud Perimeter Scan – Connectors App

SSBP Lab Tutorial Supplement 10

SSBP Lab Tutorial Supplement 11

SSBP Lab Tutorial Supplement 12

SSBP Lab Tutorial Supplement 13

Click the following URL to view the Scheduling Scans tutorial:

SSBP Lab Tutorial Supplement 14

SSBP Lab Tutorial Supplement 15

SSBP Lab Tutorial Supplement 16

Privileged User Accounts

SSBP Lab Tutorial Supplement 17

These are additional resources to reference:

SSBP Lab Tutorial Supplement 18

Checking Authentication Upfront

Monitoring Finished Scans

SSBP Lab Tutorial Supplement 19

SSBP Lab Tutorial Supplement 20

• Windows auth failed: vulnerabilities.vulnerability.qid:105015

The following is a prebuilt dashboard for monitoring Windows authentication:

SSBP Lab Tutorial Supplement 21

SSBP Lab Tutorial Supplement 22

SSBP Lab Tutorial Supplement 23

SSBP Lab Tutorial Supplement 24

SSBP Lab Tutorial Supplement 25

SSBP Lab Tutorial Supplement 26

SSBP Lab Tutorial Supplement 27

SSBP Lab Tutorial Supplement 28

SSBP Lab Tutorial Supplement 29

Scan Performance Settings

Below describes each setting:

SSBP Lab Tutorial Supplement 30

Reporting Scan Time

SSBP Lab Tutorial Supplement 31

SSBP Lab Tutorial Supplement 32

A prebuilt dashboard for monitoring scan time can be found here:

SSBP Lab Tutorial Supplement 33

SSBP Lab Tutorial Supplement 34

SSBP Lab Tutorial Supplement 35

Agentless Tracking Identifier

SSBP Lab Tutorial Supplement 36

Agent Correlation Identifier

SSBP Lab Tutorial Supplement 37