For my example I am building a report that look for any hosts running the PC Anywhere service.
Step1: create a search list that looks for the two QID’s that designate and Unauthorized Port or Service have been detected.
Setp2: Create a Report Template with the new Search List you created that looks for the ports or services you do not want to see running on your hosts.
CREATE SEARCH LIST:
1. From QualysGuard VM click on the Report section, then click on the Search List tab.
2. Click on New, then Static List.
3. In the Edit Static Vulnerability Search List window that opens, give this new Search List a title.
4. Next click on the QID’s tab, then click the Manual button and put in the QID’s 38175 (Unauthorized Service Detected) and 82043 (Unauthorized Open Port Detected) separated by a comma and click OK
5. Your Search List is now created (remember the title you gave it as we will be adding it to your Report Template).
CREATE REPORT TEMPLATE:
1. From the Reports section click on the Templates tab, then click New and choose Scan Template.
2. Give your report a title.
3. Click on the Scan Results Section tab and choose your IP’s or Assets to run the report on.
4. Click on the Display tab and scroll to the bottom to make sure in the Detailed Results section you have the following checked. Vulnerability Details, Results, and Appendix.
5. Now click on the Filter tab and in the Selective Vulnerability Reporting section click on Custom and then click to add the Search List you created in Setup 1.
6. Now click on the Services and Ports tab and from the Available Services list find pcanywhere and add it to the Unauthorized Services window. NOTE: This is not a full proof way of finding all hosts with pcanywhere installed because it is possible for the scan to miss or not identify what service is running on the port, which is why we also search for the specific ports in this template.
7. Scroll to the bottom of the window and in the Unauthorized Ports field put the ports your hosts use pcanywhere on (the default ports are 5631 & 5632). Separate each port by a comma.
8. Your report template can now be ran to check for hosts running PC Anywhere.