Remove Obsolete IPs and Scan Results

Document created by Leif Kremkow Employee on Aug 30, 2012Last modified by Leif Kremkow Employee on Sep 2, 2016
Version 6Show Document
  • View in full screen mode

Update2: As of June 23rd, 2016, there is now a feature released as part of "Qualys Cloud Suite 8.8" whereby the vulnerabilities of IPs that have not been seen alive for a certain number of times can be marked as "Closed/Fixed" automatically. See "Qualys Cloud Suite 8.8 New Features" or the PDF of the release notes. Note that at time of writing, this feature is not available by default, it must be enabled for your subscription. Please contact your Technical Account Manager or Support should to get it.

 

Update1: This article was updated to reflect the new UI dialogs that no longer allow a manual removal of IPs from the list of IPs that are to be removed from the subscription.

 

Introduction

If you have used Qualys for a while, you might find that there are far more IPs and scan results in your account than you actually care for. Dead space might have been created when IP addressing space was added that is now defunct, the devices of these ranges having moved elsewhere. This article describes a method whereby you can isolate the population of devices that are of interest to you, and remove all the rest by purging any scan results and then removing the IPs from the subscription completely.

 

Requirements/Incompatibilities

It is assumed that you have Manager access to your subscription.

 

There are three situations where this approach is not recommend and may actually break you configuration:

  1. If you have registered DHCP addressing space in your account and are scanning the whole DHCP addressing space so that you can scan IPs assigned by DHCP lease when the scanner comes across a live system. Using this approach will remove any IP addresses from your registered addressing space that have not yet had a device on them. Should such an IP be assigned a lease after you've removed it from the account, it will not get scanned.
  2. In similar fashion, if you are scanning all your IP addresses out of due diligence, just in case a service comes alive on a given IP, but to date some addresses have never seen a live target. Just like with DHCP ranges, in this case this method of removing superfluous addresses will remove targets that you might want to be scanning in the future.
  3. If you are using Policy Compliance. The Asset Search and IP Removal can find and remove IP addresses from the Policy Compliance module too. If you are using Policy Compliance, you will need to make sure you craft your Asset Search queries in such a way as to keep Policy Compliance only IPs in your subscription.

 

Define the Known Good List

Go to Assets > Asset Search

Asset Search.png

 

 

 

 

Use the Asset Group "All" for the "Search for" criteria and "Last Scan Date within the past 90 days" from "With the following attributes".

Search All.pngLast Scan Date.png

 

This produces a list the IPs for which there are scan results available. Since there are recent results available, these must be the targets that you want to keep.

 

From "Actions" in the "Asset Search Report" window, select "Add All to a new Asset Group" and click "Apply". Confirm when prompted "Are you sure you want to add all n assets to a new Asset Group".

 

In the "New Asset Group" dialog, give the Asset Group a title, such as "IPs to Keep" and then "Save". Close the Asset Search Report window.

 

Go to "Assets" > "Asset Groups", and select "Info" for the Asset Group you just created, probably "IPs to Keep".

Asset Group Info.png

 

In the "Asset Group Information" dialog, go to the IPs section, and select all the IPs in the IPs box, then use your computer "copy" (e.g. Ctrl-C or CMD-C) function.

Select IPs.png

 

Close the dialog. Keep the list of "good" IPs in the clipboard memory.

 

Still in the "Asset Groups" tab, use the "New" button to create (another) "Asset Group…"

 

Give it a name, such as "IPs to Remove".

 

In the "IPs" section, use "Select IPs" to select all the IPs in the subscription.

 

Now, still in the same dialog, select "Remove". In the "Enter IPs to Remove" paste (e.g. Ctrl-V or CMD-V) the IPs you should still have in the clipboard memory.

 

Press "Remove".

 

This will alter the list of IPs in the "IP Hosts" field. Now "Save" Asset Group.

 

Removing the Superfluous Addresses

Go to "Assets" > "Host Assets", press the "New" button, and select "Remove IPs...".

Remove IPs.png

 

In the "Remove IPs from Subscription" dialog, press "Select Asset Group". In the "Add IPs from Asset Group" dialog, select the Asset Group of the IPs to remove, named "IPs to Remove" from above. Press "Add".

 

This will populate the "Remove IPs" list of the "Remove IPs from Subscription" dialog.

 

Complete the process by pressing "Remove" and confirming your intention to remove the named IPs by hitting "Confirm".

 

You can now go back to "Asset Groups" and delete the Asset Groups "IPs to Keep" and "IPs to Remove".

Attachments

    Outcomes