Skip navigation

A new release of QualysGuard®, Version 6.23, will be available in production on Tuesday, December 13th 2011. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PST (20:00 GMT) and 6 PM PST (02:00 AM GMT next day).


QualysGuard 6.23 includes the following enhancements to VM, Policy Compliance, API and platform capabilities:

QualysGuard Enhancements:

  • Oracle SID or Service Name Authentication: QualysGuard 6.23 introduces the ability to identify Oracle instances by either SID or Service Name, allowing customers to easily perform authenticated scanning of Oracle instances.
    Screen Shot 2011-11-23 at 7.03.06 AM.png
  • Remove IPs from Subscriptions:  QualysGuard 6.23 allows users with Manager roles to remove IPs from their subscription without requiring interaction with Qualys Support, reducing the time and effort required to eliminate unneeded or invalid IPs from QualysGuard.
    Screen Shot 2011-11-23 at 7.03.54 AM.png
  • Additional New Scanner Service Icon:  QualysGuard 6.23 adds an additional icon for the status of connectivity to New Scanner Services at the Qualys SOC.  The addition of a Not Used icon helps clarify when connectivity issues require immediate action, or can be safely disregarded.
    Screen Shot 2011-11-23 at 7.04.41 AM.png

QualysGuard Vulnerability Management Enhancements:

  • Improved Report Trending Data: With QualysGuard 6.23, trending reports have been changed to provide more accurate remediation metrics. Reports will now include data for vulnerabilities that have been fixed in the timeframe specified in your scan report template, even if the detection occurred prior to that window.


QualysGuard Policy Compliance Enhancements:

  • Create Policy using a Golden Image: With QualysGuard 6.23, you can now create a policy by selecting a host to act as a “Golden Image” for the new policy.  During policy creation, the scan results of the "Golden Image" are used to set the expected values in your new policy.

Golden Image.png

  • Policy Editor Improvements: QualysGuard 6.23 introduces several improvements to the Policy Editor including enhanced navigation using an outline, collapsible sections within the policy, and easier management of controls.  The new policy editor also allows you to switch back to the classic policy editor.

Policy Editor.png

  • Deprecated Controls:  To continually improve and simplify the technical controls used in Policy Compliance, QualysGuard 6.23 allows controls to be deprecated and replaced with new controls. Each deprecated control has one or more replacement controls. A new workflow is provided for replacing deprecated controls within your existing policies.

Control Deprecation.png

QualysGuard API Enhancements:

  • Vendor and Product Added to KnowledgeBase V2 API:  QualysGuard 6.23 enhances the KnowledgeBase API v2 (api/2.0/fo/knowledge_base/vuln/?action=list) to include the new elements <VENDOR> and <PRODUCT>.
  • Deprecated Control Flag: With QualysGuard 6.23, the <DEPRECATED> flag has been added to the following DTD:  Control List Output, Policy List Output, Posture Info Output.
  • Support for Service Name in Oracle Records:  In QualysGuard 6.23 the Oracle Authentication API (/api/2.0/fo/auth/oracle/) now supports the servicename input parameter, and XML output includes the <SERVICENAME> element.
  • IPv6 Asset Management:  QualysGuard 6.23 provides the new IPv6 Asset API (/api/2.0/fo/asset/ip/v4_v6) for Manager users to manage and scan IPv6 hosts using the API.  Additionally, the Detection API (/api/2.0/fo/asset/host/vm/detection/) has been enhanced with the <IPV6> element to indicate the IPv6 address of hosts scanned.


Full release notes will be available to customers from within the Resources section of your QualysGuard account. To receive more information on QualysGuard 6.23, please visit the Qualys Community at or contact your Technical Account Manager or Qualys' Technical Support Department at

A new release of QualysGuard® WAS, Version 2.1, will be available 11/17/2011 in production on the US Platform, featuring integration with Selenium to automate and simplify form authentication while scanning web applications along with other key features.


QualysGuard WAS 2.1 includes four significant enhancements that expand WAS coverage and control, increasing subscribers' ability to identify and manage web application risk in their environments. These enhancements include:


Selenium Authentication Support: WAS 2.1 adds support for Selenium scripts, which expands the ability of WAS to perform authenticated web application scans and identify vulnerabilities. The Selenium plugin ( enables a user to record his browser actions and save them as a script that can then be replayed at a later time. Through its use of Selenium, WAS 2.1 can effectively scan web applications that require complex authentication with multi-step login processes. Watch the video demo.





Client Certificate Support: WAS 2.1 expands its reach with support for client SSL certificates that are required by many high risk web applications. Many web applications in the financial and government sectors utilize client SSL certificates for two-factor authentication (TFA). This update will provide users with the ability to upload client SSL certificate files which will then be used by WAS to perform authenticated scanning, expanding the scanning coverage and increasing the number of web application vulnerabilities identified.



Post Data Black List: WAS 2.1 enables better scan coverage and control. A web application scanner may submit forms hundreds of times to test for vulnerabilities. Some web applications have areas that may cause adverse effects when tested with such a high volume of requests by automated tools. Black Listing the URL is the usual approach, but this eliminates testing on some aspects of a web application page that may not cause the adverse impact, such as viewing the page. With Post Data Black Lists, users can identify pages for which forms should not be submitted. This prevents the potential impact of posting the forms but allows the page view to be evaluated for security vulnerabilities, increasing the coverage while lowering the risk of scanning impact on the application.



Additional URL Support: WAS 2.1 expands coverage by enabling users to upload a list of links to be scanned that may not be linked to the initial URL. Many applications send application related page links via email which users use to register new passwords. These URLs may never be linked to by any page within the application yet are still considered part of the application. WAS 2.1 allows users to specify these URLs and expand the coverage of the scan to include all the web application functionality.




Taken together, the four new features of WAS 2.1 expand the range of web applications that are effectively scanned by WAS.


Note that expected availability of QualysGuard WAS 2.1 on the EU Platform is scheduled for December 15th, 2011.


To receive more information on QualysGuard WAS 2.1, please visit the Qualys WAS community or contact your Technical Account Manager.

Qualys has completed testing a significant upgrade to its database infrastructure in the US SOC that is aimed to increase the capacity and scalability of the QualysGuard service to address the explosive growth of scanning/reporting from our customers. After extensive testing of the new database capabilities and working with Oracle to identify and resolve the root cause behind the disk corruption errors that occurred during the Oct 20th roll out (more info), Qualys' operations team is now ready to reinstate this upgrade.


To perform this new roll out, a 12-hour downtime is required starting on December 8, 2011 at 12:00 PM PST (20:00 GMT). Please note that all QualysGuard services will not be available during this downtime including:



Any scans running at the start of the scheduled downtime will be canceled and any scans scheduled to begin during the downtime will start immediately following the scheduled downtime. Customers are advised to make sure that the re-start of scheduled scans after the downtime does not interfere with normal network operations.


We really appreciate your patience while we rapidly implement our capacity plans over next couple of months, which are specifically designed to provide sufficient compute capacity to the QualysGuard infrastructure and handle the accelerated adoption of our services. In addition to increasing the core compute capacity of the existing US Shared Platform, we are in parallel deploying an entirely new platform leveraging our platform on-demand architecture, which allows us to scale the service horizontally.


If you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at or +1 (866) 801 6161.


P.S. You can get automated QualysGuard upgrade and system notifications from the Qualys Community by subscribing at:


We thank you for your continued support and look forward to continuously improving our services.