Steps of the Policy Compliance Scan

Document created by Leif Kremkow Employee on Jan 28, 2016
Version 1Show Document
  • View in full screen mode

The Qualys Policy Compliance scan runs through 4 principal phases:

  1. determine if the target is responsive (i.e. "alive"); there is little point in spending time on a target that is not reachable over the network or even switched on;
  2. perform a limited scan to determine if we have the access needed to perform a Compliance Scan;
  3. retrieve the Operating System type from the target; this is matched against the Technologies for which will have Controls;
  4. retrieve data points for all Controls of a given Technology.


It is worth noting that by default the Qualys Policy Compliance scan will retrieve data for all Controls - regardless of what, if any, a Policy might specify. It is only later, during the reporting phase, that data points for Controls are evaluated against Policies that the user defined.


Below is a flow-chart that illustrates the steps the scan engine goes through. Please click to enlarge.

Qualys Policy Compliance Scan Process.png

2 people found this helpful