Skip navigation
1 2 3 ... 6 Previous Next

Qualys Technology

82 Posts

The Heartbleed OpenSSL bug (CVE-20-14-0160) caught everybody by surprise last week, and the scope and impact of the issue can't be overstated.  Mitigating the impact of Heartbleed is a daunting process since it has been in the wild since March 2012 and because attacks that use it leave no footprints.


Last week Qualys created detection capabilities for Heartbleed within 24 hours of its discovery.  Today we have released a new Heartbleed reporting capability within the QualysGuard Certificates Dashboard so that organizations can move efficiently through the patching and certificate cleanup process.  Within the Certificates Dashboard, a specific “Heartbleed” selection has been added to the Filters menu that outputs the details of any certificates associated with assets that either have a current HeartBleed detection or had a HeartBleed detection and their certificate issue date lies before the fix date. In addition the administrator can search for certificates that were issued any time before the systems were patched, which constitute the “at risk” population of certificates that should be revoked and replaced.


Our ability to deliver detection and reporting to our entire QualysGuard customer so quickly after the discovery of Heartbleed demonstrates the flexibility of our cloud-based platform.  We will continue to iterate and improve our capabilities to make the recovery from Heartbleed as painless as possible for our customers.


Heartbleed Remediation Reporting Step-by-Step

  1. Navigate to the Assets section of QualysGuard.


  2. Select the Certificates tab, click the Filters dropdown and choose Heartbleed to see all affected hosts.


  3. After you have patched some or all of the affected hosts, click Search and select Fixed to list only remediated hosts that can be issued new certificates.


  4. Search for all certificates issued before the patch date to identify certificates that may need to be replaced (in this example 14 April 2014).


  5. To share with others, export the data in the format of your choice.



QualysGuard 8.0 adds the following capabilities to the QualysGuard Cloud Platform and its suite of services:


  • Featured Enhancement: Overlapping IP support
  • Vulnerability Management
    • Improvements to the SSL Certificates List
    • Configure Multiple PCI Option Profiles
    • Security Risk Score Summary Added to XML and CSV Reports
  • Policy Compliance
    • Golden Image Policy Organized Into Sections
    • Select Individual IPs for Your Policy Reports
    • Control Checksum Requirement Removed from Policy XML
  • QualysGuard Platform
    • New Look and Feel for QualysGuard Express
    • Improved IP Selection
    • QualysGuard API Enhancements


QualysGuard 8.0 will be released in production in the coming weeks and  includes enhancements to QualysGuard Vulnerability Management (VM) and  Policy Compliance (PC), QualysGuard Cloud Platform and the API.


For release notifications containing details about the release dates  for specific platforms and to subscribe to release notifications by  email, please see the following:




Featured Enhancement: Overlapping IP Support

With QualysGuard 8.0 customers can now manage overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private networks to keep overlapping blocks isolated from each other.  This is a common need that appears in many use cases including:


  • M&A events;
  • Air gap networks;
  • Business continuity/disaster recovery
  • Dev/test,
  • IaaS environments;
  • "Cloned" small office networks.


These different network zones can now be easily defined and separated within QualysGuard through the UI and API.


To take advantage of this new capability, the administrator uses the new “Networks” tab under Assets, defines a new network, and assigns a scanner.   Once defined, one can perform asset discovery, launch a vulnerability scan, run reports, and track mitigation on that network as a specific entity.  Assigning scanners to networks resolves the issue of duplicate IP addresses occurring in different networks, but allows the administrator to maintain centralized management across the entire organization.



Create a Network

2.create a new network.png



Discover Assets on Your New Network network wizard.png



Scan Your Network

5.scan launch showing networks.png



QualysGuard Vulnerability Management (VM)

Improvements to the SSL Certificates List

We’ve made several improvements to the SSL Certificates list to make managing your certificates even easier.  Relationships are now maintained between a given certificate and the ports, services, or even different hosts on which it is found, which helps prevent duplicate entries and simplifies reporting and remediation efforts.  The reason for an invalid status now appears in a preview pane.




Configure Multiple PCI Option Profiles

With the QualysGuard 8.0 release you can configure multiple PCI option profiles with different performance settings.  For example, you can create one profile set to High performance, another set to Normal performance, and a third set to Low performance. Then apply the appropriate profile to each scan based upon your network requirements.





Security Risk Score Summary Added to XML and CSV Reports

With this release vulnerability scan reports now include a security risk score summary for the report as a whole and per host, in all available report formats.  Previously security risk metrics were not included in XML or CSV output types.  As before, the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The corresponding asset_data_report.dtd was updated.





QualysGuard Policy Compliance (PC)

Golden Image Policy Organized Into Sections

When you create a golden image policy, we automatically add controls to the policy for you. In the QualysGuard 8.0 release we now go one step further and organize those controls into sections based on the control category, giving your policy structure within the Policy Editor.





Select IPs for Your Policy Reports

You can now select individual IP addresses or ranges to include in your policy compliance report.  Simply select the policy you want to report on and click the “Select IPs in policy” option. Then tell us which IPs/ranges from the policy you want to include in the report.





Control Checksum Requirement Removed from Policy XML

Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<base_URL>/api/2.0/fo/compliance/policy/policy_export_output.dtd).



QualysGuard Cloud Platform

New Look and Feel for QualysGuard Express

The QualysGuard Express UI has a new look and feel – you’ll notice more tips and details throughout the UI to help you with your configurations and tasks.




Here’s a look at the Scans section. Helpful details and links are shown on the screen to help you understand the different scan configuration options available to you in the Scans section. Similar details appear in the Reports and Remediation sections.





Improved IP Selection

You’ll now see a simple text field where you can directly enter IPs/ranges or paste them in. This new method for IP selection is used throughout the UI. You’ll see it when setting up your asset groups, configuring approved hosts lists for your domains, removing IPs from your subscription, and so on. If it seems familiar that’s because we introduced this change in authentication records in the last release.





QualysGuard API Enhancements

The QualysGuard API delivers these new capabilities and enhancements with this release.  More information is available at QualysGuard® API Release Version 8.0 - 15 day notification.


  • VM – “Security Risk Score” summary added to XML and CSV reports
  • VM – Manage the EC2 Scan Workflow using the API
  • VM and PC – Select Multiple Scanner Appliances for Scans
  • VM and PC – Launch Reports using Asset Tags
  • PC – Limit Policy Reports to Selected IPs
  • PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
  • PC – Policy XML updated to remove control checksum requirement
  • PC – Posture Info API improvements
  • Cloud Security Platform – Manage your Virtual Scanners using the API
  • Cloud Security Platform – Network Support API


VM – “Security Risk Score” summary added to XML and CSV reports
VM – Manage the EC2 Scan Workflow using the API
VM and PC – Select Multiple Scanner Appliances for Scans
VM and PC – Launch Reports using Asset Tags
PC – Limit Policy Reports to Selected IPs
PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
PC – Policy XML updated to remove control checksum requirement
PC – Posture Info API improvements
Cloud Security Platform – Manage your Virtual Scanners using the API
Cloud Security Platform – Network Support API



Update: Today, Thursday 4/10/2014 we released a further improvement to QID 42430 "OpenSSL Memory Leak Vulnerability (Heartbleed bug)". We have tuned the remote, unauthenticated probes to improve the detection rate for a number of edge cases, OpenSSL implementations that behaves differently from standard setups. The changes are included in Signature version 2.2.703-5.


4/9/2014: An active, unauthenticated detection is now live on all platforms in the external scanners as of 4/9/2014 - 7:00 PM PST. The detection reports to the same QID as before: 42430 "OpenSSL Memeory Leak Vulnerability (Heartbleed bug)". This detection is vendor independent and detects vulnerable instances of OpenSSL wherever in use, for instance webservers, vpn servers and appliances. The simplest way to scan your vulnerable websites is to limit your scan to this QID. Take a look at our How-to doc that explains how to set up the scan. BTW, the version that implements that detection is in "Scanner version: 7.6.34-1", which you can confirm under Help - About. Scanner Appliances update on a slightly slower schedule. You can verify their version on the Appliance page and trigger a manual update if necessary.


Original: The “heartbleed” vulnerability (CVE-2014-0160) was published on April 7, 2014. The vulnerability affects the ”heartbeat” extension in TLS 1.2 in OpenSSL, and has been present in the V1.0.1 version since its implementation about 2 years ago. A successful exploitation of the vulnerability leads to inadvertent disclosure of memory on the targeted machine, which can contain confidential information such as session-cookies, usernames, passwords and encryption keys. The vulnerability is well documented and researched and a number of proof-of-concepts for its exploitation were published within a day of the release.


Qualys has implemented the following tools to help you detect the vulnerability and track the remediation efforts:

  • on April 8, an active check for the vulnerability through our SSL Labs service. It can be used to test external website in an ad-hoc, interactive manner.
  • on April 8, QID 42430 a check in QualysGuard VM, PCI, and Freescan. The check uses the banner information returned by Apache to determine whether a vulnerable OpenSSL version is in use. It is a potential vulnerability since banner information is often not reliable.
  • on April 9, QIDs 121887, 121888, 121889, 121890, 121891, 195443 (for RedHat, Fedora, Debian, CentOS, OpenSuSe and Ubuntu) that use package information to determine whether the version of OpenSSL installed is vulnerable. These QIDs require authentication. See tips on using these QIDs.


An active detection in QualysGuard for “heartbleed” that requires no authentication, similar to SSL Labs,  is currently in QA and we are working on getting it out to as soon as possible. Stay tuned to this post for updates.


For our production environment on the shared QualysGuard platforms, we have investigated CVE-2014-0160, and determined that the systems that comprise the platforms are not vulnerable.  We used a number of factors including an analysis of OpenSSL versions in use and technical testing for the vulnerability through the QualysGuard Vulnerability Management service, the Qualys SSL Labs Server Test, and other tools that have been made available.


Please comment on how you are using these tools either here or you can contact me via e-mail at:


QualysGuard WAS 3.3 provides enhanced management of web application information and data filtering options along with usability enhancements.


Feature highlights include: Bulk editing of web applications, filtering sensitive content detections, enhanced report storage management, and additional scan cancellation options.  Together, these new features save organizations time and enable organizations to run a more effective and efficient web application security program.


QualysGuard WAS 3.3 will be released in production in late March/early April 2014 depending on the platform. Details about the release schedule are at the end of this blog post.



Web Application Management Enhancements


Bulk Editing Web Applications:  QualysGuard WAS is the most scalable web application scanning solution available.  So we've enhanced the ability to manage large numbers of web applications by adding the capability to perform bulk edits to web application details, saving users from having to make these changes on a app by app basis.  The new capability takes advantage of QualysGuard's asset tagging to enable users to easily group together applications that may have similar attributes that may need to be updated as a group.  Users can update web application details, scan settings and authentication information.







Reporting Enhancements


Filter sensitive content detections:   Now you can choose to ignore sensitive content in the detection browser and by default in all future reports  just as you can with vulnerabilities.  This provides users with the ability to have fine grained control over what sensitive content findings are listed in reports for all users, leading to higher levels of confidence for reports reviewed by internal teams.  But don't worry, you can easily modify the report filters if you need to include them again in the future.


Ignore sensitive content findings in detection browser



Ignore sensitive content findings in report details



Manage Report Storage Limit:  QualysGuard WAS 3.3 provides users with better visibility and planning for report storage.  Users can now easily identify how much storage they are using, and subscription managers can set user limits.  Managers can see how much report space has been allocated and make more informed decisions on how to allocate the allotted space to user.







Scan Enhancements


Cancel any unfinished scan:   Now you can cancel a scan any time before it’s finished, even when its status is Submitted. In the previous release, the cancel action was available only for Running scans.  This gives users more flexibility in managing scans that are already running.




API Enhancements



Tip: What's my platform


Release Schedule

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:


This week at RSA Conference 2014 in San Francisco, Qualys announced the general availability of QualysGuard Web Application Firewall.


QualysGuard WAF is designed to be *the* simple, scalable way to defend your web applications. Using virtual appliances running in either Amazon EC2 or VMware's vCenter platform, QualysGuard WAF sensors (which analyze traffic to and from your applications) can be deployed rapidly with a minimal level of security expertise. It uses a new approach to strong web app security that evolves and adapts to the changing threat environment.


New Approach: Describe Desired Security, Let the WAF Build the Rules


QualysGuard WAF can be configured and deployed in a matter of minutes in a true highly-available fashion - active/active cluster nodes are the norm, rather than the exception - and can be scaled horizontally to meet the needs of your organization and infrastructure.  Unlike other web application firewalls that require intricate sets of rules be specified for each app, QualysGuard WAF lets you define your desired level of security with just a few clicks. These security goals are automatically translated into the appropriate rules to use within the WAF sensor.


Figure 1


This not only makes robust security easy to set up, it also enables the protection of your applications to improve over time – without any extra effort from you. Qualys’s global security research team is constantly coming up with better defenses - these ongoing enhancements are deployed each month and urgent updates are added as needed to combat new exploits found in the wild. These additions are automatically used by QualysGuard WAF to dynamically update the rules used by each sensor.


Visual dashboards for an easy overview and interactive drill-down


QualysGuard WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.


Figure 2


QualysGuard WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.


Figure 3


You can then drill into particular events to learn more about them and how to address them:


Figure 4


We’re very excited to be making QualysGuard WAF generally available. We’re also continuing to enhance its feature set, driving more and better interaction with your WAS results and to provide better, more actionable security data to your teams.  We're in Booth 2821 in Moscone North - please feel free to stop by to discuss WAF, your needs, and to walk through our service and see how it truly is groundbreaking in scope.


QualysGuard 7.13 expands its support in Vulnerability Management (VM) for scanning printers, routers and other embedded devices. And a powerful, new Scorecard Report in Policy Compliance (PC) consolidates results across policies and technologies into concise, at-a-glance charts for tracking progress in management reviews and helping individual teams see how they compare against others.


Highlights include: Vulnerability Scorecard Report updates, New Compliance Scorecard Report, MS SQL Authentication – Auto Discover Database Instances, and multiple API enhancements.


QualysGuard 7.13 will be released in production in the coming weeks and includes enhancements to QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) reports, QualysGuard Cloud Platform and API. Details about the release schedule are at the end of this blog post.


QualysGuard Vulnerability Management (VM)

New Support for HTTP Authentication

You now have the option to choose HTTP authentication for vulnerability scans. Use HTTP authentication for scanning protected portions of web sites and devices like printers and routers that require HTTP protocol level authentication. (Note that this is not Form-based authentication.) By authenticating we can perform additional vulnerability tests that we couldn’t do otherwise.


HTTP Authentication Record.png

Vulnerability Scorecard Report – More Date Ranges for Vulnerability Age

We’ve enhanced the Vulnerability Scorecard Report to include more date ranges for showing vulnerability counts by age. We’ll show you the total number of vulnerabilities that are less than 30 days old, 31-60 days, 61-90 days, 91-180 days, 181-270 days and 271-365 days.


VM Scorecard.png

Remediation Reports – Updated Calculation for Average Resolution

In your remediation reports you’ll see a value for average resolution (Avg. Resolution). The way we calculate the average has changed. We now include:

  1. tickets that moved directly from Open to Closed state by the service, and
  2. tickets that were previously marked Resolved (by a user) and are now marked Closed/Fixed.


In past releases we only considered tickets that had been marked Resolved.



QualysGuard PC Enhancements

New Compliance Scorecard Report

This release introduces the Compliance Scorecard Report – a new template-based compliance report that allows you to:

- Report on multiple policies in a single report (up to 20 policies)

- Report your compliance score across selected policies for specific environments (up to 10 asset groups or asset tags)

- View current compliance status by policy, by asset group/tag and by technology

- Include a breakdown of compliance status changes over a period of time

- Get a list of the top hosts and controls that changed during your selected timeframe


PC Scorecard 1.png


Scorecard Template

PC Scorecard Template.png


Report exmaple - Summary

PC Scorecard.png


Policies Overview

PC Scorcard Policies.png

MS SQL Authentication – Auto Discover Database Instances

MS SQL authentication now have the ability to discover the the database name, database instance and ports. Choose new auto discover option(s) when you set up your MS SQL authentication records, and the QualysGuard platform will find all matching instances on the target hosts.

When using this option you can simply build one authentication record for multiple IP instead of one per instance/database/port and IP.


MSSQL Auth.png

Apache Web Server Authentication – Support for Multiple Instances

This release supports authentication to multiple Apache instances on the same host. This means you can create multiple Apache Web Server authentication records with the same IP address defined – as long as the path to the configuration file is unique.





Policy Report – Control References Added to CSV and XML Formats

You can add references to your controls by using the new policy editor or by editing control details. With this release you can choose to create policy reports with your custom control references in CSV and XML formats. (Note that control references were already available in PDF and HTML reports.)


Control Reference xls.png



QualysGuard Cloud Platform

Authentication Records – Improved Method for Adding IP Addresses

The Authentication Record IP address selection was simplified. Users now have a simple text field where you can directly enter IPs and IP ranges or paste them in or simply select IPs/Ranges link for a list of IPs you can add to the record.


Auth Record IP.png

Enforce Auto Delete Storage Settings

With this release the Manager Primary Contact has the ability to enforce certain storage settings across all users in the subscription. For example, if your corporate policy is that scan results should never be deleted, then the Manager Primary Contact would clear the “Automatically delete scan results” check box and select “Apply these settings to all users”. Other users’ storage settings will be replaced with the settings made by the Manager Primary Contact and these settings will not be editable.



CSV Reports – Option to Hide Header Information

You can now choose to download reports in CSV format without the header information. You can omit the header in all VM reports and PC reports that can be downloaded in CSV format. Basically we’ll include just the central CSV tables containing your security and compliance data, not the metadata.


CSV Report.png


QualysGuard API Enhancements

The QualysGuard API delivers these new capabilities and enhancements with this release.More information is available in the QualysGuard API community


  • VM and PC – Using “Report Share” API v2 download CSV reports without headers
  • VM – New “HTTP Authentication” API v2
  • PC – New “Policy Merge” API v2
  • PC – Policy Report XML now includes custom control references
  • PC – “Apache Authentication” API v2 – Support for multiple instances per host
  • PC – “MS SQL Authentication” API v2 – Auto discover database instances


Release Schedule

For release notifications containing details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:


Qualys will decommission its legacy platform scan distribution service, "Dispatcher", in favor of New Scanner Services, which has been in operation since 2010.  The vast majority of user subscriptions have already been migrated to New Scanner Services, and Qualys will now begin a final push to migrate all remaining subscriptions.  The migration action requires no user action and is non-disruptive except in special circumstances, as described below.


This document outlines the process that will occur and provides guidance on what to expect.  If you have further questions, you may contact your Qualys reseller contact; your Qualys account manager; and/or Qualys support. Details about the migration schedule are at the end of this blog post.


How do I know if my subscription is already using New Scanner Services?

In the QualysGuard UI, navigate to Help > Account Info > General Information to see whether your subscription has been migrated to New Scanner Services.  If your subscription is already registered as Enabled for New Scanner Services, then the remainder of this document does not apply to you.


If your subscription is still in a Disabled state for New Scanner Services, then you should read on.



What is New Scanner Services?

New Scanner Services is a distributed service which, as part of the QualysGuard Cloud Platform, manages communications with deployed scanner appliances.  It is a more robust and scalable service than the Dispatcher service it replaces, and brings many benefits.


What are the benefits of New Scanner Services?

The benefits of New Scanner Services are many and include some of the following:


  • Performance.  Improved scanner capacity monitoring, queuing, and job “microslicing” optimize the distribution of scans across multiple appliances.  See Microslicing Operation and Performance for more.
  • Resiliency.  Scan jobs managed by New Scanner Services continue to execute even during outages to the QualysGuard Cloud Platform UI and API.  Further, scheduled scan pauses are pre-loaded.
  • Monitoring.  Improved monitoring and metrics for appliances, including scanner capacity charts.
  • Virtual appliance availability.  Qualys has virtual appliances available for deployment onto VMware, Amazon EC2, Microsoft Hyper-V, etc.  Virtual appliances require New Scanner Services to be enabled on your subscription.


What visible changes should I expect after I am migrated to New Scanner Services?

The QualysGuard New Scanner Services Description article provides detail on the expected changes, which on the surface are mostly cosmetic.  The changes include:


  • Changes to email alerts.  New Scanner Services includes an additional email alert, a Scan Completed message which arrives as soon as the scanning work is done to provide a status update.  The existing Scan Results message still arrives when the completed scan results are ready for viewing.
  • Updated scanner status icons in the scanner management UI.
  • Appearance of scanner capacity chart in scanner info tab.



What Must I Do To Prepare for Migration To New Scanner Services?

Ensure that all of your appliances are ready for the migration.

In order for an appliance to be considered ready for the migration event, all of the following must be true:




Each appliance is communicating with Dispatcher service.  If green, this icon indicates that an appliance can successfully connect to the Dispatcher service (i.e., or


Navigate to Vulnerability Management > Scans > Appliances to confirm that all appliances are Online.


Risk: An appliance that is not successfully communicating with Dispatcher at the time your subscription is migrated to New Scanner Services may be "orphaned" (see below).


Each appliance is communicating with New Scanner Services.  If blue, this icon indicates that an appliance can successfully connect to New Scanner Services (i.e., or  Therefore, it is considered Ready for New Scanner Services.


If red, this icon indicates that scanservice1 cannot be reached.


Risk: An appliance that is not successfully communicating with New Scanner Services at the time your subscription is migrated may be "orphaned" (see below).


Tip:You should ensure that your outbound firewall, URL filtering, and/or proxy policies are updated to allow appliance outbound connectivity via HTTPS to or at TCP port 443.



See How to check scanner appliance status for more guidance on this topic.



When will my subscription be migrated to New Scanner Services?

  • If all of your appliances are currently online, Qualys may migrate your subscription at any time.  If you would like to prioritize or explicitly schedule your migration, please contact your representative or Qualys Support.
  • If any of your appliances are currently offline, Qualys will begin contacting you individually to make arrangements for the migration (i.e., to decide the fate of currently offline appliances).
    • If you have offline appliances which you know to be decommisioned and unwanted, please contact Qualys support so that they may be removed from your account.
  • If any of your appliances have been continuously offline for more than 90 days, Qualys may proactively choose to consider these appliances decommissioned and unwanted by the user and may execute the migration to New Scanner Services without making special arrangements.


What happens to appliances which are not successfully migrated?

As mentioned above, appliances which are not fully online (i.e., communicating with both Dispatcher and New Scanner Services) at the time of migration may become temporarily or permanently orphaned and become unavailable for use.


If any of your appliances lose sync during the migration because they were offline at the time or otherwise, Qualys support and/or your MSSP will attempt the following recovery steps:


  • Technical support will ask you to verify full connectivity between the appliance and the QualysGuard Platform, including routing, proxy, firewall, and URL filtering configurations.
  • Technical support will perform a "session reset" on the Platform which can often bring an orphaned appliance back into sync.
  • Technical support will ask that you perform a hard reset on your appliance.  You may need to physically visit the deployment location in order to execute this.
  • Finally, if all other efforts have failed, Qualys will recommend that your current appliance be RMA'ed and replaced with another one.


How long will the migration take?

The migration process consists of a single configuration change to your subscription by Qualys support personnel. After New Scanner Services is enabled, all of your appliances should show green for New Scanner Services within 30 minutes.


Any scans already underway at the time of the migration should be unaffected.  They will complete first, and then the scanners will re-register to New Scanner Services.


Migration Schedule

For details about the migration dates for specific platforms, please see the following:


Note: There are no outstanding migrations for US Platform 2.


QualysGuard WAS 3.2 provides improved control over how and when scans are performed and boosts the efficiency of developers in diagnosing issues with their web applications.


Feature highlights include: A granular scan progress display, specific scan cancel time, binary file exclusions and many usability enhancements.


QualysGuard WAS 3.2 will be released in production in mid-February. Details about the release schedule are at the end of this blog post.


Scanning Enhancements


Track Scan Progress:  Track the current status of a scan in progress in the scan view window. The new Scan Progress section shows you the current progress of your scan and the scan start time. This provides users with positive confirmation that the scan is progressing and the web application is continuing to respond during testing.  The Stats section tells you the number of links collected, crawled and the number of requests performed.





Define a Default Option Profile for Your Subscription: Now you can make any option profile the default for your subscription. This option profile will be selected automatically each time you launch a scan, unless a different option profile is defined for the target web application. This makes it easy to make sure by default users will use an appropriate option profile that is best for your organization.  Setting the default is available only to users with full scope and permissions.





Ignore Common Binary Files Based on File Extension:  We’ve added an option profile setting called “Ignore common binary files based on file extensions.” This can dramatically reduce the amount of time needed to scan a web application that contains many of these types of files.  When enabled, scans will ignore files with these extensions: .pdf, .zip and .doc.   This setting will be turnedon by default when you create new option profiles.





Cancel a Scan at a Precise Time:   Previously, when launching or scheduling a scan you could only choose to cancel the scan after a certain number of hours. With this release, you can choose to cancel the scan at a precise time in scan settings under Cancel scan. This enables you to be sure you stop a scan before the end of a defined scan window without worrying about when the scan starts.




Reporting Enhancements



Export Vulnerability Payload Response in HTML:   Now you can provide more details to developers for vulnerabilties identified in scanning.  You can view vulnerability detections in a few spots –in web application reports, in scan reports, and under Web Applications > Detections.In the vulnerability details, you’ll notice a new Export icon in the payload responsesection. Click this icon to export the payload response.





This export option is also available for the Information Gathered results in your scan reports and web application reports.




When results exceed 5000 characters they will be truncated to ensure good browser performance. You have the option to export the full contents ofthe report.




Move a Report to a New Browser Window:   This makes it easy to do side-by-side comparisons, saving time. It also increases the number of reports you can have open at one time. Go to Reports and create a report. Click New window to move the report to a new browser window.




You can edit and download your report in the new window just as you would within the UI.




Select Timezone Used for Dates in Report:    Dates in reports default to the timeszone set in the user’s account settings. When you download a report, you now have the option to select a timezone we’ll use to display all dates in your saved report. In the previous release, all dates in saved reports appeared in GMT.




Web Application Enhancements


Use Save As to Create a New Web Application:   Save time by creating a new web application based on an existing one, then edit the settings as needed. Go to Web Applications > Web Applications,  hover over a web application and choose Save As from the menu.






Move a Sitemap to a New Browser Window: You can keep your sitemap open in a separate browser window while working in the WAS UI. All the functionality of the sitemap remains available in the new window. Go to Web Applications > Web Applications, hover over a web application and choose View Sitemap from the menu. Click the red outlined icon in the upper right corner to move the sitemap to a new window.



Server Authentication Record – Realm not required:  The Realm field is no longer required when configuring a basic server authentication record.



Usability Enhancements


Improved Usability of Datalists


Improved Navigation

When the total number of records exceeds the number of records per page, click to select the range of records you want to display. You’ll notice that the currently displayed range is highlighted.   





Improved Actions Menu

You’ll notice the Actions menu now displays the number of items you’ve selected for the action.   



New Sort By Options

The settings menu now provides several options under Sort By.   



Online Help Improvements:

When you select Help > Online help, we’ll display help specific to your current location in the UI. For example, if you’re working with scans, the help will appear as shown. 




You’ll also notice a new Launch Help link in the title bar of each wizard. Click this link to view help related to your current workflow. For example when launching a scan click this link to view scan related help.





CVSS Scoring Updates for Cross-Site Scripting (XSS) QIDs


Enhanced Scoring Consistency

To bring additional consistency in CVSS base scoring for similar Cross-Site Scripting Vulnerabilities which will enable better risk calculation by users, QualysGuard WAS will adjust the current CVSS scoring for the QIDs below.  The new CVSS score of 4.3 is based on a median score calculation identifed by analysis of existing vulnerability scores.  


QIDs updated to CVSS base score of 4.3


  • 150000
  • 150001
  • 150002
  • 150013
  • 150046
  • 150048
  • 150062
  • 150076
  • 150090
  • 150092



API Enhancements



Tip: What's my platform


Release Schedule

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:


Update 2: Cloudflare just published an interesting piece on the latest attack that they have been exposed to, which peaked at 400 Gbps. It is amazing that only 4529 NTP servers can generate 400 Gbps traffic. It that sense NTP is a better amplifier than DNS, where 30,956 servers were needed for a 300 Gbps attack. Paul Vixie from Farsight Security explains how to solve the problem at least theoretically, but  he believes the incentives to do it are just not there as the owners of the network are not directly affected. He dealt with a similar issue with DNS, but decided instead to adapt BIND to recognize reflection attacks. It is not the "right" solution, but the most practical...


Update: Animesh Jain from our Vulnerability Research Team has published a technical post with more in depth information on the probing mechanism and indicators used to implement this specific detection. Excellent insight into the inner workings of a remote detection.


Original: Symantec recently reported on the increasing use of the NTP (Network Time Protocol) in Denial of Service attacks. Over Christmas of 2013, servers for a number of gaming sites were taken down in NTP DoS attacks, including the popular, League of Legends and Steam. Now regardless of whether you care about online gaming, this attack might affect you, as the hackers might have involved your servers in the attack.



In a Denial of Service attack, the hacker typically floods the target machine or service with too many requests for the service to handle, in essence exhausting the processing capacity of the servers, or simply generates so much traffic that the network connection of the service is overwhelmed. In either case the result is the same: the service becomes unresponsive and its users are prevented from logging in and accessing the system.


To make these attacks work even against well connected systems, the hacker needs to use many machines to generate enough request or traffic. Often a botnet with thousands of computers is necessary to generate the traffic directly, however, there is also another attack style that generates the traffic indirectly - the so called reflection attack. In a reflection attack, the hacker enlists vulnerable or misconfigured machines on the internet to generate the traffic for the attack. For example in a Domain Name System (DNS) reflection attack, the hacker sends a DNS request to a DNS server on the Internet, but includes as the source IP address for the request the address of the service to attack. This way, the response to the DNS request, which is typically 10x larger than the request, gets sent to the targeted service and clogs its network with useless data. BTW, this only works because DNS uses UDP, a sessionless protocol where source addresses can be spoofed.



    Fig 1: Amplification attack as illustrated on the Cloudflare blog


DNS is not the only protocol that can be abused that way. NTP has a similar flaw where a short request of 200+ bytes can generate a response of several kilobytes, amplifying the request by a factor of 100-200! The problem lies in the “monlist” command of the NTP protocol, which is useful for troubleshooting, but not really needed in day-to-day use of NTP. Unfortunately, it is enabled by default in most NTP installations (maybe even in yours) and was used by the attackers over the Christmas holiday to attack the mentioned gaming servers.


The flaw in NTP has been assigned CVE-2013-5211 and the US-CERT has sent out alert TA14-013A “NTP Amplification Attacks Using CVE-2013-5211” informing of the patched NTP server in version 4.2.7 for all major operating systems.


You can use QualysGuard to verify if your servers can be abused in the described way. Scan your Internet facing machines with QualysGuard and look for QID 121695 “NTP monlist Feature Denial of Service Vulnerability” in your scan results. The detection is remote, i.e. the scan does not need to be authenticated. If you find your servers to be vulnerable, please update or implement the work-around described in the US-CERT advisory, disabling the monlist command - you are making the Internet a safer and better working place for all of us.


The Open NTP Project is also be a handy resource, as you can plug your external IP addresses and search through their database of affected machines.


Happy scanning for QID 121695 and let me know your results.




     Fig 2: 121695 detected on a Qualys demo machine


It's time for the Top 13 of '13 -- the most popular and most viewed blog posts, discussions, new product features, technical documents and videos that were contributed, read, updated, and commented on in 2013 by the Qualys Community of security professionals.


Many thanks to all the Qualys Community members and site visitors for building out the reference library and active conversations that comprise Qualys Community!


Top 13 Blog Posts

  1. Automate the delivery of security intelligence for new assets
  2. Automate Host Discovery with Asset Tagging
  3. Announcing WAS 3.0 with Malware Detection and Burp Suite Integration
  4. Add Pen Testing to Web App Scanning for More Security
  5. RC4 in TLS is Broken: Now What?
  6. SSL Labs: Deploying Forward Secrecy
  7. Is BEAST Still a Threat?
  8. Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
  9. Hacking into WordPress Using a Vulnerable Plug-in
  10. Defending against the BREACH Attack
  11. September 2013 - New IE 0-day - Update
  12. Updated SSL/TLS Deployment Best Practices Deprecate RC4
    - this is my personal favorite, because the best practices guide is so clear.
  13. Plus 8 blog posts from Qualys Security Conference 2013


See the most current blog posts.



Top 13 Discussion Threads

  1. VM: Generating report with both confirmed vulnerabilities & potential vulnerabilities
  2. VM: Disabling NULL sessions as a best practice
  3. VM: Populating Asset Lists from Excel
  4. VM: Authenticated scans vis-a-vis real vulnerabilities
  5. VM: Identify hosts in multiple scan asset groups
  6. PC: How to Identify Unwanted Applications (Policy Compliance)
  7. PC: Use of Remote Registry Service to scan Windows servers
  8. PCI: How to change the user authorized to run PCI scans in QualysGuard
  9. WAS: Adding Web Applications from a List
  10. WAS: Crawl Exclusion List
  11. API: Powershell module integrates QualysGuard w/ 3rd-party ticketing systems
  12. API: Give Users Access to Reports via API
  13. API: Proactively managing Qualys API call concurrency


Plus three extras from SSL Labs:

  1. SSL: Why is disabling TLS 1.2 being recommended
  2. SSL: How to enable Forward secrecy using Apache 2.2/OpenSSL 1.0.1 and Firefox 10 ESR?
  3. SSL: Adding ECDHE parameters to an SSL Certificate file


See the most current discussion threads.



New Product Features in 2013


  1. QualysGuard 7.12 Update: Multiple New Enhancements
  2. QualysGuard 7.12 New Features
  3. QualysGuard 7.11 Update: New Vulnerability Notification Feature
  4. QualysGuard 7.11 New Features
  5. QualysGuard 7.10 New Features
  6. QualysGuard 7.9 Release Notification: Available April 19, 2013
  7. QualysGuard 7.8: New Vulnerability Scorecards
  8. QualysGuard WAS 3.1 New Features
  9. Announcing WAS 3.0 with Malware Detection and Burp Suite Integration
  10. QualysGuard WAS 2.4.2: March 5, 2013
  11. QualysGuard WAS 2.4.1: January 31, 2013
  12. Add Pen Testing to Web App Scanning for More Security
  13. BrowserCheck Business Edition Adds "No Plugin" Download Option
  14. Qualys BrowserCheck Adds Automatic Daily Scanning and Improved MacOS Support



Top 13 Technical Documents and Developer Scripts

Technical Documents:

  1. QualysGuard WAS and OWASP TOP 10
  2. How to find rogue devices on your network
  3. How much does it cost to run a QualysGuard Virtual Scanner Appliance on Amazon EC2?
  4. Change the Name of Your Appliance
  5. Qualys scanner appliance hardware specification
  6. SAML Frequently Asked Questions (FAQ)


See LOTS MORE support articles and how-to's in the Help Center.


Developer Scripts:

  1. python-qualysconnect: A Python QualysGuard(R) Helper Package updated with API v2 calls via BasicAuth
  2. QGIR: QualysGuard Integration with Reporting
  3. Qualys API client examples
  4. Script: Parse QualysGuard VM maps for live IPs not currently subscribed.
  5. Script: Excluding non-running kernel vulns when downloading data via API
  6. Automate multiple WAS scanning
  7. Exporting the Vulnerability KnowledgeBase to an external Database


See all developer content in the Developer Community.



QualysGuard Video Series

All video series are new or updated in 2013!


  1. Express Lite
  2. Questionnaire Service
  3. Vulnerability Management
  4. Policy Compliance
  5. Web Application Scanning
  6. Malware Detection Service
  7. Best Practice Videos


Plus a bonus video: DHS Director John Streufert Keynote from Qualys Security Conference 2013



Qualys wishes you a happy, productive, and secure 2014!


As 2013 comes to a close, enterprise partnerships and mergers and acquisitions in the tech sector have continued to occur at billion dollar levels. One can infer there is much to gain from adding the confidential intellectual properties of others. The true puzzle is understanding if the intellectual properties are, in fact, truly confidential. After all, what is the value in acquiring trade secrets if they are not secret?



Your organization’s threat landscape dramatically expands as a result of these types of corporate asset purchases. Defining a vulnerability baseline of your newly onboarded assets enables your organization to adopt a risk-based approach. QualysGuard is capable of providing that baseline in short order. Leveraging QualysGuard’s API, one can extend this capability to an automated process that aligns with best practices to protect your business expansions and investments.



Getting started on baselining new external assets

A joining of organizations or new partnerships eventually leads to attaching a foreign set of IP addresses to your IT environment. These IP addresses may be an via external VPN connection or perhaps through a merging of internal networks. However the case, the end result is adding IP addresses with an unknown security posture.


The following describes the steps to programmatically have QualysGuard scan your new external assets.



  1. Gather ingredients for automation (new IP addresses, option profile, etc.).
  2. Subscribe IP address of new assets.
  3. Assign the IP addresses to a new asset group, which could be the name of the business group.
  4. Scan the IP addresses.
  5. Poll scan status until scan completes.
  6. Create action items via reporting.

Gather ingredients

To fulfill this automation, you will need the following:

  1. QualysGuard user with API access and privilege level of manager or unit manager.
  2. An option profile configuration of your scan.
  3. External target IP addresses.
  4. An asset group name to reference these target IP addresses.
  5. A scan title to label these automated scans.

Subscribe new assets

The first step to automating the baselining of new assets is to define the IP addresses that you would like to target. If you have gotten this far, you have completed the hardest step! The rest of the automated process is all performed within QualysGuard via the API with manager level access.


Let’s walk through programmatically adding and scanning externally facing hosts. Before QualysGuard can scan the new IP addresses, we must permit QualysGuard to scan them by adding the IP addresses to your subscription.


API call details:

  • API v1
  • Call = asset_ip.php
  • Method = GET
  • Parameters
    • action = add
    • host_ips = IP addresses to add


Sample request response from adding target IP addresses:


<?xml version="1.0" encoding="UTF-8"?>
  <API name="asset_ip.php" username="username" at="2013-12-10T18:03:00Z" />
  <RETURN status="SUCCESS">The operation was successfully completed</RETURN>
<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2013, Qualys, Inc. //-->


We can confirm this request was successful from the XML response's GENERIC_RETURN.RETURN tag:


<RETURN status="SUCCESS">The operation was successfully completed</RETURN>


Assign IP addresses to asset group


Before we scan the IP addresses, let’s add them to an asset group for easy referencing. You may want to customize the comments.

API call details:

  • API v1
  • Call = asset_group.php
  • Method = GET
  • Parameters
    • action = add
    • comments = Created via automation for organization_name.
    • host_ips = IP addresses to add
    • title = organization_name


Sample request response from creating asset group for target IP addresses:


<?xml version="1.0" encoding="UTF-8"?>
  <API name="asset_group.php" username="username" at="2013-12-10T18:20:17Z" />
  <RETURN status="SUCCESS">The operation was successfully completed</RETURN>
<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2013, Qualys, Inc. //-->


We can confirm this request was successful from the XML response's GENERIC_RETURN.RETURN tag:


<RETURN status="SUCCESS">The operation was successfully completed</RETURN>


Launch scan

Next, a one time setup of the option profile to be used should be assigned or created. In this example, we will use the option profile titled, “New IPs option profile”.


We are all set to scan! Let’s shoot off a quick scan from Qualys’s external scanners. You may want to customize the scan title.



API call details:

  • API v2
  • Call = /api/2.0/fo/scan/
  • Method = POST
  • Parameters
    • action = launch
    • asset_groups = organization_name
    • option_title = New external
    • scan_title = Acquisition scan of organization_name


This launch request will return an XML response containing the scan reference identifier. We want to remember that value so we can easily keep tabs on when the scan completes.


Note: In this example, we will scan You should only scan IPs that you own or are authorized to scan.


Sample request response from launching scan:


<?xml version="1.0" encoding="UTF-8"?>
    <TEXT>New vm scan launched</TEXT>


The scan reference from the above XML is in the SIMPLE_RETURN.RESPONSE.ITEM_LIST.ITEM.VALUE tag:




Poll for scan status


Now that the scan just launched, we should wait about 7 minutes before we see check on its status.


API call details:

  • API v2
  • Call = /api/2.0/fo/scan/
  • Method = POST
  • Parameters
    • action = list
    • scan_ref = scan/1386877291.18226


Sample request response with scan still running:


<?xml version="1.0" encoding="UTF-8"?>
        <TITLE><![CDATA[Acquisition scan of organization_name]]></TITLE>
<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2013, Qualys, Inc. //-->


The state of the scan is the value we are interested in.


State from the above polling request showing the scan is still running:




Continue to poll the scan every 5 minutes. This will give enough of a buffer to avoid going over your API limit.


We are looking for the state value to show "Finished" like below:




Create action items


Congratulations! QualysGuard now has up to date security intellegence of your new assets. The results will be merged into your auto data momentarily. Let's explore leveraging QualysGuard's reporting functionality to make this scan actionable.


In case you would like to parse the results immediately, perhaps for alerting purposes, the following methods can work:

  1. Leveraging a report template against the manual scan data and downloading that report (recommended).
  2. Downloading the raw scan data for a complete view.


Important to note

This workflow is specific to external IP addresses being added. Programmatic input of these IP addresses should be thorougly reviewed as QualysGuard will scan what its told is okay to scan.


The following should be considered if this capability is to be extended to internal IP addresses:

  • Host tracking type should be considered when adding the IPs into the subscription.
  • Scanner appliances and a default scanner appliance should be assigned to the asset group during the asset group creation.
  • The launch step should include which scanner appliance to scan the target hosts with.


Proof of concept implementations

Note, the following are unsupported. They are unofficial proof of concept implementations of the above workflow.


This POSTMAN collection contains all the API calls preconfigured for the workflow above:

Blog, scan new assets.json.postman_collection


You can find more information on setting up POSTMAN for QualysGuard here.


Python code


Coming soon...


An update to QualysGuard 7.12 will be released in production in the coming weeks to introduce improvements to the QualysGuard Cloud Platform and API:

  • New Permission to Manage External IDs
  • Dissolvable Agent Per Scan
  • QualysGuard API Enhancements

QualysGuard Cloud Platform

The following enhancements have been added to the platform:


New Permission to Manage External IDs

In this release, the Manager Primary Contact can now control which managers have permission to assign/edit external IDs for users. (In previous releases, any manager could change the external ID.)



External IDs


new security setting


User Extended Permission




Dissolvable Agent Per Scan

This release introduces the ability to enable the dissolvable agent on a per scan basis. You do this by selecting the dissolvable agent in your option profile (for vulnerability scans) and compliance profile (for compliance and SCAP scans). The dissolvable agent must first be accepted for the subscription.


The dissolvable agent will be enabled in your existing option profiles (and compliance profiles) automatically if the dissolvable agent was accepted for your subscription prior to this release. If it was not accepted, then it is not enabled in your option profiles.


Additionally, the dissolvable agent is not enabled by default in new option profiles.



QualysGuard Vulnerability Management - Scan Option Profile

VM Dissolvable.png


QualysGuard Policy Compliance

PC Dissolvable.png


QualysGuard API Enhancements

More details about the API feature in QualysGuard 7.12 update can be found in the QualysGuard 7.12 Update API Notification.


Compliance Posture Info - API v2 Enhancements

With this release we’ve added new input parameters to the “Compliance Posture Info” API v2 (with the endpoint /api/2.0/fo/compliance/posture/info/) to give you more flexibility with downloading compliance posture data from your account.

  • Using the new “policy_ids” parameter you can download compliance posture data for up to 10 policies.
  • Using the new “asset_group_ids” parameter you can filter compliance posture data to include certain asset groups. When used, posture data is downloaded only for hosts in the asset groups you’ve specified.



Full release notes will be available to customers from within the Resources section of your QualysGuard account.


Release Schedule

For details about the release dates and to subscribe to release notifications by email, please see the following:


Tip: What's my platform


Update: Also see details on the update to QualysGuard 7.12.


QualysGuard 7.12 will be released in production in the coming weeks and includes enhancements to QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) reports, and API.


Highlights include: new Certificate (SSL) Dashboard, new VM Authentication Report, Test Control function in the Policy Editor, and API enhancements.


QualysGuard VM Enhancements

New Host Certificate Dashboard

New Host Certificate page provides administrators a dedicated dashboard for certificate related information such as certificates by expiration date, by key size, by certificate authority, by port, and self-signed certificates as well as the certificates detail.


Host Certificate Main.png


By expiration date

Host Certificate by expriration date.png


By certificate authority

Host Certificate by authority.png


By port

Host Certificate by port.png


Self-signed certificates

Host Certificate by self sign.png




Authentication Report Now Available in VM


You can now run the Authentication Report from the Vulnerability Management (VM) application. This gives you an easy way to verify authentication to your hosts and troubleshoot when authentication was not successful. This report was previously only available in Policy Compliance (PC).


QG Auth report.png



KnowledgeBase Update - Additional Exploitability Information

Qualys will publish exploit information when we know about an exploit and the exploit has not been revealed by any other vendor. When this is the case, you’ll see Qualys listed as the source, as shown in the example below.


QG Exploit.png



QualysGuard PC Enhancements

Policy Editor Improvement - New Test Control Option

You now have the option to run a quick test to see whether a control will pass or fail for a host directly from the Policy Editor. You’ll get the pass or fail status and the actual value based on the last scan of the host. This allows you to modify the control value if needed before saving your policy without the need to generate a compliance report.


Test Control.png



Policy Report Update - Evaluation Date Added to CSV Format

When you run or download a Policy Report in CSV format, the host details will now include the evaluation date. The evaluation date represents when the control was last evaluated for the host. Prior to this release, the evaluation date appeared in other report formats but not in CSV.



PC Authentication Report Update – Host Technology Added

The Policy Compliance (PC) Authentication Report tells you whether hosts scanned for compliance passed authentication. With this release, the PC Authentication Report includes the host technology associated with each host instance - this is the technology the host’s operating system is mapped to.


Auth report.png

User-Defined Controls - Debian Technologies Added

In this release Debian GNU/Linux 6.x and 7.x have been added to user-defined controls. You can create user-defined controls and set values for these technologies, create policies for these technologies and search for controls defined with these technologies.



QualysGuard Cloud Platform

Scanner Appliance Heartbeat Check Notification Updated

Improvements were made to the Scanner Appliance Heartbeat Check email notification. The email now includes useful troubleshooting information for appliance connectivity issues and instructions on where to find more information about your appliance.

QualysGuard API Enhancements





QualysGuard API Enhancements

Full details about the API feature in QualysGuard 7.12 can be found in the QualysGuard 7.12 API Release Notes.


API Support for QualysGuard Express Lite Users

We are pleased to announce QualysGuard API support for Express Lite users. Now Express Lite users have the ability to use the QualysGuard API to manage scans, assets (IP addresses and domains) and user accounts.

Asset IP - API v2 Enhancements - Ability to add and update IP addresses

The Asset IP API v2 (with the endpoint /api/2.0/fo/asset/ip/) gives you the ability to add IP addresses for scanning to the subscription, and update them. You can choose to add IP addresses to VM and/or PC, depending on your license.

Compliance Posture Info - API v2 Improvements

Using the “Compliance Posture Info” API v2 (with the endpoint /api/2.0/fo/compliance/posture/info/) you have the ability to retrieve batches of compliance posture info records and customize the page size (i.e. the number of posture info records).

Compliance Control - API v2 Improvements

Using the “Compliance Control” API v2 (with the endpoint /api/2.0/fo/compliance/control/) you have the ability to retrieve batches of compliance controls and customize the page size (i.e. the number of control records).

PC Authentication Report – Host Technology Added

With this release, the PC Authentication Report includes the host technology associated with each host instance - this is the compliance technology the host’s operating system is mapped to. We added a new element <HOST_TECHNOLOGY> to the XML output and updated the report DTD. You can download this report in XML format using the QualysGuard user interface.




Release Schedule

For details about the release dates and to subscribe to release notifications by email, please see the following:


QualysGuard WAS 3.1 will be released in production in mid-November and includes a number of new features and enhancements to existing capabilities.


Highlights include: A new web application tree to navigate the layout of a scanned site,  authentication records that can be reused for multiple web applications, and CVSS scores in web application and scan reports.


Web Application Enhancements

The New Web Application URL Tree: The web application URL tree allows you to easily locate information and perform actions on a web application. Now after running a quick discovery scan you can review the stucture of the site and decide if some areas should be white or black listed before running a vulnerability scan. After running a vulnerability scan you can also more easily identify the areas of the site have the most security issues.



Filter the site tree: You can filter the view by crawled pages, excluded pages, external pages, vulnerabilities or sensitive content.




Take action: You can create a new web application or add the link to a black list or white list. You can also choose to view the link in your browser.





Authentication Records Are Now Independent: WAS authenticated scanning enables you to discover and validate vulnerabilities by performing more in-depth assessment of your web applications than unauthenticated scanning. In WAS 3.1 we’ve given authentication records their own place in the WAS UI, enabling you to manage authentication records independently from web application settings and easily create an authentication record once and associate it with multiple web applications. This is a major time saver for development, QA or portal environments that may share authentication.





New Actions for Finding Detections and Burp Issues for a Web Application: Now you can easily find detections and Burp issues related to your web applications. We’ve added new actions to find the related security issues for a selected web application. This makes it easy to see the current vulnerabilities for a web application without having to run a report.




We’ll display detections or issues filtered for the web application you selected.





Catalog Entry Status Update: We’ve improved the catalog list to account for deleted web applications that were created from catalog entries. When you delete a web application that was created from a catalog entry, we automatically change that catalog entry’s status from “In Subscription” to “New”. This enables you to add this web application back into the subscription if needed at a later time.




Scanning Enhancements



Filter Scans and Schedules by Tags: You can now filter scans and schedules by selecting tags, making it easy to find just the scans and schedules you need. When using this filter the list will display scans or schedules only for web applications that are assigned the selected tags.





New Option to Download Scan Results in XML: We’ve added the option to download scan results in XML format from the scans list. This is a quick way to get XML scan results that can be used with our WAF integration parters including Citrix Netscaler, Imperva SecureSphere and the F5 ASM.




Scan Complete Notification Email Lists Appliance IP: We’ve updated the scan complete notification email to include the IP address of the scanner appliance used for the scan, making it easier to troubleshoot if there were issues with the scan, or to whitelist the source IP as needed.




Filter Target Sites for Malware Monitoring in MDS: In the MDS application we’ve added site typefilters to the site list, scan list and schedule list. You can easily filtereach of these lists to show sites in your WAS application being monitored formalware, or sites that are being monitored for malware only.






Enhancements to the Appliances List: The Appliances section now includes information about your virtual appliances in addtion to physical appliances.




Report Enhancements


Added CVSS Scores to Scan and Web Application Reports: We’ve added CVSS Base and Temporal scores to the details displayed for vulnerabilities and sensitive content in scan and web application reports. This information is also included when viewing details from the detections list.





Web Application Details are Now included in XML and CSV Scan Reports: The XML and CSV output for downloaded web application reports and scan reports now shows web application settings in the Appendix section.



Example XML:




               <NAME><![CDATA[Vulnerability Scan -2013-Jul-24]]></NAME>






               <WEB_APPLICATION><![CDATA[Demo WebApplication]]></WEB_APPLICATION>

                <AUTHENTICATION_RECORD><![CDATA[MyAuthentication Record

                      (ID=3904,Demo WebApplication)]]></AUTHENTICATION_RECORD>

               <PROFILE><![CDATA[Initial WAS Options]]></PROFILE>

                <SCANNER>External (IP:, Scanner: 7.1.12-1,

                         WAS: 3.0.38-1, Signatures:2.2.492-1)</SCANNER>







            <NAME><![CDATA[Demo WebApplication]]></NAME>


            <OWNER>Edgar Venables(regen_ev)</OWNER>

           <OPERATING_SYSTEM><![CDATA[Linux 2.4-2.6 / Embedded Device

                             / F5Networks Big-IP]]></OPERATING_SYSTEM>

            <SCOPE>Limit to URLhostname</SCOPE>






WAS Reports in XML – Findings are now Base64 Encoded:


Findings in all WAS reports in XML format are Base64 encoded. Findings include vulnerability detections, information gathered and sensitive content. If you have clients that consume XML content returned by the WAS application (using the API or UI), please update your clients so that WAS findings data is processed accurately.



Base64 encoded data usually will have the attribute set to“base64=true”. For example:








If the “base64=true attribute” is not set, the value will bein plain text. For example:







Reports that were updated

Findings shown in these WAS reports are now Base64 encoded:

  • WAS v2 and v3 Scan Results
  • Web Application Report
  • Web Application Scan Report



Release Schedule

For details about the release dates and to subscribe to release notifications by email, please see the following:


Tip: What's my platform


One of the most important ways to protect your computer from harmful online content or malicious software is to keep your browser updated. Qualys BrowserCheck now offers this protection for Mac OSX 10.6.8 and later. This new release enables BrowserCheck on Macs to go beyond basic JavaScript tests to perform full, deep scans of your browsers and the “plugins” (extensions that applications load into browsers to  add new capabilities). These scans can tell you whether your browsers or plugins are out of date and potentially vulnerable to malicious code that hackers can hide in websites. BrowserCheck makes it easy for you to find out whether new versions of your browsers or the plugins you use are available so that you can download them to protect yourself against the latest threats.





BrowserCheck for Mac now supports all major browsers - Safari, Chrome & Firefox. It also checks the most-commonly-used plugins (called “add-ons” in some browsers) for insecure and out-of-date versions, and verifies that your OS security is properly configured. For each issue that it finds, it provides links to up-to-date versions or recommends ways to fix the problem. Below is a list of security configuration checks and plugins that BrowserCheck currently supports. The BrowserCheck FAQ gives further details.




In addition, BrowserCheck for both Windows and Mac now support:

  1. Daily Auto Scans for Personal Users: The personal edition of BrowserCheck now provides one of the most popular features of our Business Edition: the ability to have scans automatically run every day. These scans happen silently in the background once per day while you’re browsing the Web; whenever issues are found, a security alert gets displayed to help you take care of the problem.

    The security alerts are concise and easy to read:

  2. Option to Embed BrowserCheck into custom webpages: Admins can embed BrowserCheck code within their organizations domain pages to make it easier for their employees to access it.

    Here's how embedding works:
    • Include the Javascript reference and set variables to embed Qualys BrowserCheck Scan into your web page within your domain
    • Track end-users' BrowserCheck results within the BrowserCheck Business Edition by logging into your account
    • Use the callback to get results into your JavaScript function to implement:
      - Access Control
      - Custom application
      - Custom UI
      - Default Qualys provided UI (below) with Fix It button
  3. embed.png
  4. Multiple User Logins in BrowserCheck Business Edition Management Console: Organizations can now give each admin their own access to the Business Edition management console. This is helpful especially in organizations where multiple admins are setting up user machines and can monitor machine activity.
  5. Do Not Track Settings for Asset and User Information: These settings prevent BrowserCheck from storing IP addresses, computer names or usernames in environments that have policies prohibiting any tracking of users’ habits.
  6. Purge Historic Data: Within the Business Edition management console, the IT Admin can now periodically delete older scan data so that reports focus on the latest view of their organization.



Get Qualys BrowserCheck now for safer web browsing.

1 2 3 ... 6 Previous Next

Bookmarked By (1)