SSBP Lab Tutorial Supplement Scanning Strategies

Scanning Strategies and Best Practices (SSBP)
SSBP Training Documents
1. Presentation slides
2. Lab tutorial supplement
Download these from https://qualys.com/learning
2 Qualys, Inc. Corporate Presentation

Lab Tutorial Supplement
• All lab activity for this course is performed in a

simulated lab environment
• The SSBP lab tutorial supplement contains:

• Links for each lab tutorial
• Overview of steps performed for each topic
• Additional supporting information
Starting the Lab Tutorial
1
Navigate to the URL provided in the lab tutorial supplement to start the
tutorial for a topic:
Open this link or copy/paste
the link in a separate
Lab 1: Address Management browser window/tab
https://ior.ad/7LHg 2
Maximize the
screen
3
Start the
tutorial
Important – Lab URLs are case-sensitive

Course Recommendation
Qualys recommends that get certified in the Qualys Vulnerability

Management course before taking this course:
Agenda
• Introduction & Account Setup
• Scan Process & Scanning Options
• Authenticated Scanning & Host Tracking

• Deploying & Using Scanner Appliances
• Scanning Approaches & Techniques
• Scanning Cloud Agent Hosts
• Delegating Scanning Tasks & Privileges

Host Assets

Adding Host Assets
For scanning to begin, you must first add
assets to your subscription.
Managers can:
• Add assets to the subscription
• Remove assets from the subscription
A Unit Manager can add assets to the

subscription but cannot remove them.

Lab 1 and 2
Lab 1 – Add hosts to subscription
Lab 2 – Create asset group

15 min.
Please refer pages 3 – 4 of the lab supplement.

Scan Process Review

Vulnerability Scanning Workflow & Modules
A Qualys vulnerability scan is comprised of multiple tasks, each

performed by an independent module:
Host Discovery
§ Checks host “dead/alive” status. By default, scanning will continue for live hosts.
Port Scanning
§ Finds open TCP and UDP ports on target hosts (based on scan preferences).
Service Detection
§ Identifies which services are running on open ports.
OS Detection
§ Identifies the host operating system (at least one open TCP port required).
Vulnerability Assessment
§ Based on 1) Operating System, 2) Active Services, and 3) Installed Software
Scan Process Diagram
1. OS verified 5.
Host Discovery Yes from registry or All Vulnerability
13 TCP system settings Checks
6 UDP, ICMP
2.
Port Scan 4. Successful
1900 Port Scan Authentication?
(configurable)
3.
Service 5. Remote
OS
Detection Vulnerability
Fingerprint
Over 600 TCP No Checks
and UDP Tests
Scanning Options

TCP and UDP Ports
§ Determines which ports are

targeted by Service Detection
module.
§ Standard Scan provides a
good balance between port
coverage and scan
performance.
§ Full Scan targets all 65,535
ports.
§ Ensure that potential filtering
devices allow the ports you are
targeting.
Authoritative Option for Light Scans
Scan authoritativeness affects the way the system

closes previously detected findings based on the results
of the current scan
Authoritative Option for Light Scans
In an authoritative scan, previously open findings will be closed if
the QID is included in the scan AND either of these is true:
• The QID was executed and vuln was found to be corrected, OR
• The QID could not be executed because:
• The port the vuln was previously detected on is no longer
open or reachable by the scanner, OR
• The port is not in the list of ports scanned
** Non-authoritative scans do not update the status of a QID if the

port is not included in the list of ports to scan
** Light port scans are non-authoritative by default
Authoritative Option – Use case
A vulnerability was detected on a web server on TCP port 80:

• Vulnerability was remediated by shutting off the service
• Light scans targeting the QID were performed to verify that the
vuln status has changed to Fixed
• Result – vulnerability detection continues to remain open
because the port is no longer open and therefore the QID cannot
be executed
• Solution – Perform authoritative scans to force-close the
vulnerability
Scan Dead Hosts
§ A DEAD host is one that does not respond to any Host Discovery probes.
§ Use this option to scan all targeted hosts, regardless of the outcome of
Host Discovery (LIVE/DEAD) probes.
§ This option may increase scan time.
Close Vulnerabilities on Dead Hosts
If enabled and the configured threshold is reached:

§ Existing tickets associated with dead hosts will be marked as Closed/Fixed
§ Vulnerability status will be updated to Fixed.
Purge Old Host Data When OS Is Changed
When enabled and a change is detected in the host’s OS vendor:

§ All existing host vulnerability findings are purged.
§ Not impacted by OS version changes (i.e., same vendor) such
as Linux 2.8.13 to Linux 2.9.4
Example of OS vendor change – Linux to Windows or Debian to
Ubuntu
Purge Old Host Data When OS Is Changed
When enabled and a change is detected in the host’s OS vendor:

§ All existing host vulnerability findings are purged.
§ Not impacted by OS version changes (i.e., same vendor) such
as Linux 2.8.13 to Linux 2.9.4
Example of OS vendor change – Linux to Windows or Debian to
Ubuntu
Performance
§ Hosts to Scan in Parallel –

max. number of hosts to scan at
the same time per scanner--per
scan task.
§ Processes to Run in Parallel –
max. number of processes to
run at the same time per host.
§ If the network response
degrades during scanning,
Qualys scanners will
automatically throttle back the
rate in which packets are sent.
Load Balancer Detection
§ When enabled, each targeted host is tested to determine if it’s a load

balancing device.
§ QID 86189 – Presence of a Load-Balancing Device Detected.

Password Brute Forcing
§ Use “System” generated passwords or configure you own custom lists.
§ Combine both system generated and custom lists together.

§ Part of the “pre-deployment” scanning process.
Best Practice
• Avoid ”Password Brute Forcing” on host assets

protected by an account lockout policy.
• Best used with “pre-deployment” scans.

Vulnerability Detection
§ Complete scans always perform “Basic host information checks.”

§ QID dependencies should always be considered, when using the “Custom”
scan option.
Best Practice
• Choose “Complete” scans over “Custom” scans when

possible.
• Be aware of QID dependencies and ensure “Basic host
information checks” are included, if using the “Custom”
scan option.

Authentication
§ Qualys recommends performing scans in

“authenticated” mode, because it provides
the most accurate results with fewer false
positives.
§ Selecting an authentication option here, will
require a matching authentication (or vault)
record.
Best Practice
• Perform vulnerability scans in “authenticated” mode.

Test Authentication
§ Enable this option to run a scan to test authentication results.

§ Identify authentication issues before running a full assessment scan.
§ If you have a “Pay Per Scan” account, a scan with Test Authentication
enabled will not count against your number of available scans.
§ No other scan tests will occur.
Additional Certificate Detection
§ Enable to check for certificates in more locations, and beyond

traditional ports.
Dissolvable Agent
§ Successfully scan host assets with Remote Registry Service disabled

and enumerate Windows shares.
§ The agent immediately “dissolves” after completing its assigned task.

Lite OS Scan
§ QID 45017 “Operating System Detected,“ must be included in the

scan task.
§ Enabling Lite OS Detection will remove “expensive” OS detection

methods only from the information gathering phases of a scan.
§ These “expensive” methods may still be used later, if needed by any
vulnerability assessment QIDs.
Add Custom HTTP Header Value
Distinguish Qualys scan traffic from other traffic using the ”Qualys-Scan”
header (i.e., CGI and Web application fingerprint checks).
Host Alive Testing
§ Run a quick scan to determine which of your target hosts are alive
without performing other scan tests.
§ The Appendix section of your Scan Results report will list the hosts that
are LIVE and hosts that DEAD.
Do Not Overwrite OS
§ When enabled, Qualys scanners will NOT update the OS detected

for targeted hosts.
§ This can be useful when performing occasional “untrusted” scans,

when “trusted” scans are commonly used.
“Additional” Scanning Options

Host Discovery
§ Which probes will be used to determine host ALIVE/DEAD status?

Best Practice
§ Use the default “Host Discovery” settings provided by

Qualys, and then provide additional TCP or UDP ports for
your unique network and systems environments.

Blocked Resources
§ Avoid triggering IDS/IPS alerts and blacklists.
§ Qualys scanner appliances will NOT target the ports and IPs
identified here.
Packet Options
§ Prevent “ghost” IPs from appearing in your scan results and reports.
§ Use the bottom option to prevent Qualys scanners from performing

extra ACK and SYN-ACK testing, during Host Discovery.

Lab 3
Lab 3 - Option Profile

(link for the lab is on page 16) 10 min.

Authenticated Scanning
Qualys, Inc. Corporate Presentation

Best Practice
Control 4: Continuous Vulnerability Assessment and Remediation

CSC 4-3: “Perform vulnerability scanning in authenticated mode either
with agents running locally on each end system or with remote
scanners that are given administrative rights on the system being
tested…”**
44 ** https://www.cisecurity.org/controls/
§ More vulnerabilities are detected.
• Ensures enumeration of software
Benefits of applications.
Scanning in § More accurate detection (more confirmed
Authenticated and fewer potential vulnerabilities).
Mode § Save Time - manually investigating a

potential vulnerability takes time.
§ Most accurate OS detection.
Secure Windows Authentication

Windows Authentication Security Options
Kerberos Negotiation and
Configuration
Check these items to ensure successful Kerberos Negotiation:

§ Target host must support Kerberos authentication.
§ DNS must resolve Kerberos Server (KDC) and target
hosts.
§ Kerberos relies on accurate time synchronization (+/- 5
minutes).
§ Configure encryption for Kerberos (AES 256, AES 128,
and maybe RC4).
§ If the requirements above are not met, NTLMv2
negotiation will begin.
§ Use QID 70028 to verify Windows authentication method
used.
48
Secure Unix Authentication

Root Delegation
Root delegation is provided via sudo, PowerBroker, or
Pimsu.
50
Best Practice
• Use a “non-privileged” user account with any supported

“Root Delegation” service, when scanning Unix-based
host assets.

Unix § Private key authentication is supported for
SSH2 only.
Private Key
§ Scanning account must be added to all
Authentication target hosts, along with its public key (i.e.,
authorized_keys file).
Tips
§ Private key must be PEM-encoded
(OpenSSH standard).
§ Use ssh-keygen to create public/private

key pairs.
§ Private key can be encrypted with a

passphrase or left unencrypted.
Best Practice
• Use more secure Public/Private key pairs (when

possible) over less secure password authentication.

Qualys Authenticated Scanning Resources

Lab 4 - 6
Lab 4 – Windows Record
Lab 5 – Unix Record

15 min.
Lab 6 – Authenticated Scan

Agentless Tracking

Host Tracking
How do you want to track host vulnerability history?

§ IP Address (works best for static IPs)
§ DNS Name
§ NetBIOS Name
§ Qualys Host ID (default for Qualys Cloud Agent)
§ Qualys Host ID can be used by Qualys Scanner Appliances,

when “Agentless Tracking Identifier” is enabled.
What Is Agentless Tracking?
§ Qualys Cloud Agent uses a universally unique ID (UUID)

called the Qualys Host ID to track vulnerabilities.
§ Agentless Tracking provides “scannable” host assets, with

the same Qualys Host ID.
§ Available through Windows and Unix auth. records.
§ This common ID allows you to merge SCAN and AGENT

data together into a “unified” view.
58
Best Practice
• Enable “Agentless Tracking Identifier” when scanning

host assets running a Qualys agent, to merge SCAN
data with AGENT data.

Enable Agentless Tracking
Navigate to Assets > Setup.

Windows Authentication Record

Unix Authentication Record

Best Practice
• Store the Qualys Host ID in the /etc directory (i.e., the

same directory used by Qualys Cloud Agent).

Lab 7
Lab 7 – Agentless Tracking and Merging

10 min.

Deploying and Using Scanner Appliances

Scanner Appliance Deployment
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
Qualys Cloud Platform

External Scan Review
Remote Users
• Azure
• Google
64.41.200.249
LAN 2 DMZ

Internal Scan Review
Remote Users
• Azure
• Google
LAN 2 DMZ
10.10.10.1

Scanner Location
External Scanners (Public Interface)
• Scanning Public IPs
• External PCI scans (11.2.2)
• Public Cloud Platforms (e.g., Amazon)
Internal Scanners (Public or Private Interface)
• Scanning Private IP addresses
• Best Practice: one scanner appliance per subnet
• Internal PCI scans (11.2.1)
• DMZ Appliance
• IPv6 scanning

Qualys Virtual Scanner Appliance
Qualys Virtual Scanner Appliances are available for multiple hypervisor and
virtualization platforms.
VLAN Tagging

VLAN Tagging
10.10.20.254 10.10.30.254 10.10.40.254

LAN interface
10.10.10.10/24
Trunking enabled
for VLANs: 10.10.10.1/24
10 , 20, 30, and 40
R
VLAN 20 VLAN 30 VLAN 40

10.10.20.0/24 10.10.30.0/24 10.10.40.0/24
Internet

Scanner Appliance “VLANs” Option
• Scanner appliance receives a local IP address on each configured VLAN

segment.
• The same IP address cannot be used in more than one VLAN
configuration.
Best Practice
• Use VLAN Tagging to Scan multiple VLANs using a

single scanner appliance.
• Bypass layer three packet filtering.

Static Routes

Static route
SWITCH
10.10.80.1/24
10.10.40.1/24
R
VLAN 20 VLAN 30 VLAN 40 10.10.80.0/24

10.10.20.0/24 10.10.30.0/24 10.10.40.0/24

Scanner Appliance “Static Routes” Option
• Physical scanners support up to 99 static routes.

• Virtual scanners support up to 4094 static routes.

Scanning through Firewalls

Half-Open SYN Scan
Host Discovery & Port Scanning
SYN
SYN-ACK
RST
10.1.1.10 10.1.1.20

Cascading Firewalls
TRUSTED
SYN
SYN-ACK
RST
UNTRUSTED

Best Practice
• Avoid scanning through cascading or multiple firewalls.

Firewall Detected QID

Scanning through Firewalls
From Trusted to Untrusted
Large amounts of “outgoing” traffic could

potentially exhaust your firewall’s state table,
causing it to crash or fail.
Precautionary steps to follow:

• Lower Port Scanning and Host Discovery “Intensity
to Minimum.
• Minimize the number of hosts and ports targeted.
• Work closely with systems and network admins to
monitor state table (allocate more memory if
needed).
• Do NOT turn-off stateful inspection.
• Increase NAT/PAT pools.

Best Practice
• Avoid scanning from “trusted” to ”untrusted” networks,

through a stateful inspection firewall.

Lab 8
Lab 8 – Scan Results

10 min.

Calculating Scan Parameters & Resources

How Many Hosts Should My Scan Target?
Ex. 17 million / number of ports = number of hosts

• Light Scan: 17 million / 160 ports = 106, 250 hosts
• Standard Scan: 17 million / 1900 ports = 8947 hosts
• Full Scan: 17 million / 65,535 ports = 259 hosts
Add More Scanners for Larger Targets
17 million / 1900 ports = 8947 hosts (Standard Scan)

• 8947 x 2 (scanners) = 17,894 hosts
• 8947 x 3 (scanners) = 26,841 hosts
• 8947 x 4 (scanners) = 35,788 hosts
• 8947 x 5 (scanners) = 44, 735 hosts
• etc...

Scanner Parallelization

Scanner Parallelization
Combining Multiple Scanners
Appliance_1
• Use more than one scanner
to scan a block of hosts.
• Reduce the time needed to Appliance_2
complete your scans.
Appliance_3
• Scanner code and signatures
must be synchronized.
Appliance_4
• Can your network handle the
increased bandwidth Appliance_5
consumption?

Microslicing Technology At
I now
Fullhave
capacity
capacity!
Scan 172.16.0.1
to172.16.15.254
Scan 172.16.16.1 What if I want to scan a full /16?
to172.16.31.254
The service will accommodate the scan by breaking it up into
Scan 172.16.32.1 to “slices” and distributing them to appliances appropriately based on
172.16.47.254 their capacity.

Best Practice
• Combine multiple scanner appliances to reduce overall

scan time.

Select Multiple Scanners
Parallel Scaling for Scanner Appliances
§ Select this option to dynamically

“scale” the “Hosts to Scan In
Parallel” setting (at scan time).
§ This calculated value will be
based upon the computing
resources available on each
appliance.
§ Can be especially useful in
subscriptions with scanner
appliances that have different
performance characteristics
(e.g., processor, memory, etc...).
Monitoring and Analyzing Scans

How Long Will My Scan Take?
§ Host type - does host provide one or more services to other hosts?
§ Host utilization - is host busy handling other requests at scan time?
§ Network utilization - how much bandwidth is available at scan time?
§ Number of Scanners and location - how many hops between scanner and
target host?
§ Option Profile settings - how many ports will be probed; how many vulns.
will be tested; is scan performance set to LOW, NORMAL or HIGH?

Check Scan Status for Suspect Hosts
§ Which host assets are driving your overall scan time?
• When a routine scan

exceeds its expected scan
time, check to see which
host assets (IPs) are still in
the queue.
• Make a list of all suspect
IPs and analyze their scan
statistics, when the scan
finishes.

Host Scan Time QID

Scan Activity per Port

Some Other Useful Scan Analysis QIDs
45038 - Host Scan Time

45426 – Scan Activity per Port
45006 - Traceroute
45179 - Report Qualys Host ID Value
45180 - Report Qualys Host ID Access Errors
90194 - Windows Registry Pipe Access Level
§ Access to Remote Registry Service is denied or Registry access denied
§ You may need to enable Remote Registry Service
90195 - Windows Registry Key Access Denied
§ Check your scanning account’s access privileges.
§ User Access Control (UAC) will impact this QID.
70028 - Windows Authentication Method
105015 - Windows Authentication Failed
105053 - Unix Authentication Failed
Best Practice
• Create and maintain your own custom Search List for

analyzing scan performance.

Lab 9 - 11
Lab 9 – Custom Scan Analysis Search List
Lab 10 – Scan Analysis Template

15 min.
Lab 11 – Scan Analysis Report

Scanning Approaches and Techniques

What’s An Effective Scanning Target?
§ Create scanning targets separate from reporting targets (an ideal

reporting target isn’t necessarily a good scanning target).
§ RECOMMENDED: Select targets that cover entire netblocks or
subnets (i.e., perform comprehensive, pervasive scans)
§ Avoid narrow or constricted scanning targets that might inadvertently
miss active host assets.
§ Scan frequently and often (Vulnerability Detection = Complete).
** always consider your existing network architecture and the location of filtering devices, when selecting
appropriate scanning targets. Firewall rule tables and whitelists may need to be adjusted for your scans.

Recommended Scans
1. Certification/Accreditation – pre-production scan

(authenticated-mode)
2. Discovery/Inventory – lightweight discovery and inventory
scan (authenticated-mode)
3. Assessment – standard scan (authenticated-mode)
• Combine Inventory with Assessment scan (perform

assessment scans more frequently).
• Add Compliance scan (Qualys PC) for complete coverage

Certification/Accreditation Scan
§ GOAL: Ensure newly deployed host assets meet baseline security

requirements, prior to moving into a production role.
§ Option Profile Settings:
• Full scan (65,535 ports)
• Password Brute Forcing enabled (target known vendor and device defaults)
• Vulnerability Detection: Complete
• Authentication: Enabled
§ Rescan will be required, anytime new host goes back to the apps
team (if feasible, just scan after the apps team has finished).

Discovery/Inventory Scan
§ GOAL: Provide a lightweight scan that collects host metadata useful

for asset inventory and management tasks, including data needed to
propagate or update Asset Tags.
§ Option Profile Settings: (e.g., Light Inventory Scan v.1)
• TCP Ports (16): 21-23,25,53,80,88,110-111,135,139,443,445,515,1433,1521
• UDP Ports (6): 53,111,135,137,161,500
• Vulnerability Detection: Custom
o Windows Authentication Results
o Unix Authentication Results
o Inventory Results
• Be sure to enable “Basic host information checks” when using “Custom” detection
§ Perform pervasive scans that cover entire netblocks or subnets.

Useful Host Inventory QIDs
QIDs used by Asset Tag rule engines:

45039 – Host Names Found
45361 – Linux/Unix Hostname Information
45141 – Installed Packages on Unix and Linux Operating Systems
90235 – Installed Applications Enumerated from Windows Installer
123816 – Interface and IP Address List (Unix)
45099 – Interface Names and Assigned IP Address Enumerated from Registry
82004 – Open UDP Services
82023 – Open TCP Services

Assessment Scan
§ Goal: Perform a thorough and comprehensive scan to find and

mitigate host vulnerabilities.
§ Option Profile Settings:
• Standard Scan (about 1900 TCP and 180 UDP ports): include additional
ports where necessary.
• Vulnerability Detection: Complete
§ Perform pervasive scans that cover entire netblocks or subnets.

§ Scan frequently and often.

Lab 12 - 14
Lab 12 – Certification/Accreditation Scan
Lab 13 – Inventory Scan

15 min.
Lab 14 – Assessment Scan

Continuous Scanning

Scheduled Continuous Scans

Scanning Cloud Agent Hosts

Host Perspectives
Remote
§ Qualys Scanner Appliance targets host assets remotely.
Local
§ Qualys Cloud Agent installs as a local system service.

How To Scan an “Agent” Host
1. Build a “Dynamic” Search
List, using the “Supported
Modules” check boxes for
Cloud Agent.
2. Create an Option Profile using the

“Complete” vulnerability detection
option and then exclude the Search
List of QIDs already covered by the
agent.
3. Run Scan
115
Add Agent Addresses To Scan

Lab 15 - 16
Lab 15 – Agent Search List
Lab 16 – Cloud Agent Scan

10 min.

Delegating Scanning Tasks and Privileges

Who Can Run Qualys Scans?
§ Scans may be performed by a: Scanner, Unit Manager, or Manager.
§ Scanning privileges may be provided via GUI, API, or both.

Which Hosts Can A User Scan?
§ Asset Groups assigned to a Qualys user, determine which IPs that user
can successfully scan.

Which Scanner Appliances Can I Use?
1. Assign desired
scanner appliance
to targeted Asset
Group(s).
2. Then assign same
Asset Group(s) to
desired user
account.
§ Qualys pool of External Appliances is available by default.

Lab 17 - 18
Lab 17 – User Creation and Group Assignment
Lab 18 – Scan with Scanner Privileges

15 min.

Thank You
training@qualys.com

SSBP Lab Tutorial Supplement Scanning Strategies

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSBP Lab Tutorial Supplement Scanning Strategies

Uploaded by

Copyright:

Available Formats

Scanning Strategies and Best Practices (SSBP)

SSBP Training Documents

Download these from https://qualys.com/learning

2 Qualys, Inc. Corporate Presentation

• All lab activity for this course is performed in a

• The SSBP lab tutorial supplement contains:

Important – Lab URLs are case-sensitive

Qualys recommends that get certified in the Qualys Vulnerability

• Introduction & Account Setup

• Scan Process & Scanning Options

• Authenticated Scanning & Host Tracking

• Scanning Approaches & Techniques

• Scanning Cloud Agent Hosts

• Delegating Scanning Tasks & Privileges

6 Qualys, Inc. Corporate Presentation

7 Qualys, Inc. Corporate Presentation

A Unit Manager can add assets to the

8 Qualys, Inc. Corporate Presentation

Lab 1 – Add hosts to subscription

Lab 2 – Create asset group

9 Qualys, Inc. Corporate Presentation

10 Qualys, Inc. Corporate Presentation

A Qualys vulnerability scan is comprised of multiple tasks, each

13 Qualys, Inc. Corporate Presentation

§ Determines which ports are

Scan authoritativeness affects the way the system

** Non-authoritative scans do not update the status of a QID if the

A vulnerability was detected on a web server on TCP port 80:

If enabled and the configured threshold is reached:

When enabled and a change is detected in the host’s OS vendor:

When enabled and a change is detected in the host’s OS vendor:

§ Hosts to Scan in Parallel –

§ When enabled, each targeted host is tested to determine if it’s a load

§ QID 86189 – Presence of a Load-Balancing Device Detected.

§ Use “System” generated passwords or configure you own custom lists.

§ Combine both system generated and custom lists together.

• Avoid ”Password Brute Forcing” on host assets

25 Qualys, Inc. Corporate Presentation

§ Complete scans always perform “Basic host information checks.”

• Choose “Complete” scans over “Custom” scans when

27 Qualys, Inc. Corporate Presentation

§ Qualys recommends performing scans in

• Perform vulnerability scans in “authenticated” mode.

29 Qualys, Inc. Corporate Presentation

§ Enable this option to run a scan to test authentication results.

§ Enable to check for certificates in more locations, and beyond

§ Successfully scan host assets with Remote Registry Service disabled

§ The agent immediately “dissolves” after completing its assigned task.

§ QID 45017 “Operating System Detected,“ must be included in the

§ Enabling Lite OS Detection will remove “expensive” OS detection

§ When enabled, Qualys scanners will NOT update the OS detected

§ This can be useful when performing occasional “untrusted” scans,

37 Qualys, Inc. Corporate Presentation

§ Which probes will be used to determine host ALIVE/DEAD status?

38 Qualys, Inc. Corporate Presentation

§ Use the default “Host Discovery” settings provided by

39 Qualys, Inc. Corporate Presentation

§ Avoid triggering IDS/IPS alerts and blacklists.

§ Use the bottom option to prevent Qualys scanners from performing

41 Qualys, Inc. Corporate Presentation

Lab 3 - Option Profile

Please refer pages 5 – 16 of the lab supplement.

42 Qualys, Inc. Corporate Presentation