The Qualys Policy Compliance scan runs through 4 principal phases:
- determine if the target is responsive (i.e. "alive"); there is little point in spending time on a target that is not reachable over the network or even switched on;
- perform a limited scan to determine if we have the access needed to perform a Compliance Scan;
- retrieve the Operating System type from the target; this is matched against the Technologies for which will have Controls;
- retrieve data points for all Controls of a given Technology.
It is worth noting that by default the Qualys Policy Compliance scan will retrieve data for all Controls - regardless of what, if any, a Policy might specify. It is only later, during the reporting phase, that data points for Controls are evaluated against Policies that the user defined.
Below is a flow-chart that illustrates the steps the scan engine goes through. Please click to enlarge.